VMware NSX drops ingress network traffic originating from a source machine. Edge data path interface counters indicate drops attributed to Unicast Reverse Path Forwarding (uRPF) failures. The source VM is utilizing IP spoofing, or the network topology routes the traffic asymmetrically into the NSX domain.

This is expected behavior. Strict Unicast Reverse Path Forwarding (uRPF) drops network traffic if the source IP address is spoofed or if the traffic arrives on an interface that NSX would not use to route return traffic back to that specific source IP.

To allow the traffic, implement one of the following corrective actions:

Option 1: Disable Strict uRPF on the Target Interface

1. Navigate to the NSX Manager UI.

2. Locate the specific gateway interface receiving the spoofed traffic.

3. Modify the interface configuration and change the uRPF mode from Strict to None.

4. Apply and publish the configuration changes.

Option 2: Establish Symmetric Routing

1. Validate the upstream routing topology.

2. Ensure that the interface receiving the ingress traffic from the source VM is the exact same interface the NSX routing table dictates for the return path to that source IP.

For further details regarding gateway interface configuration and uRPF settings, refer to the Broadcom NSX Administration TechDocs or the attached NSX Reference Design Guide.