In VMware DHCP clients successfully obtain an initial IP address via broadcast but fail to renew the lease. The renewal process, which utilizes unicast communication, is blocked at the NSX security layer. This results in the client failing to receive the DHCP ACK (Acknowledgment), leading to lease expiration and loss of network connectivity.

• Successful initial DHCP DORA process (broadcast).
• Failed DHCP renewal attempts (unicast).
• Packet drops observed at the logical switch/segment level for DHCP server responses.

• VMware NSX
• Windows / Linux DHCP server

The default Segment Security Profile has the "DHCP Server Block" enabled. This security feature is designed to prevent rogue DHCP servers by dropping any DHCP server traffic (specifically unicast ACKs) that does not originate from a trusted source defined within the segment's security configuration. 

1. Log in to the NSX Manager UI.
2. Navigate to Networking > Segments > Segment Security.
3. Click Add Segment Security Profile.
4. Provide a name for the profile (e.g., "Allow-Unicast-DHCP-Renewal").
5. Locate the DHCP Filter section.
6. Toggle DHCP Server Block to Disabled (or disable DHCP Filter entirely if rogue server protection is handled via other means).
7. Click Save.
8. Navigate to Networking > Segments.
9. Edit the affected Segment(s).
10. Under Segment Security, select the newly created profile.
11. Click Save to apply the changes.
12. Verify by running ipconfig /renew (Windows) or dhclient (Linux) on the affected workload to confirm the unicast ACK is received.

See Product documention for more details around Segment - Create a Segment Security Segment Profile