Unable to remove a stale IP address from an NSX Security Group Effective Members list
search cancel

Unable to remove a stale IP address from an NSX Security Group Effective Members list

book

Article ID: 439037

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

In VMware NSX, an IP address cannot be permanently removed from a Security Group. The administrator experiences the following symptoms:

  • The IP address has been removed from the static/manual configuration of the Security Group.

  • When attempting to edit the Group Definition, the manual "IP Addresses" category is empty (0), and only the NSX Segment appears as a configured member.

  • Despite not being a manual member, the IP address persists in the Effective Members (or Realized) list of the group.

  • If the specific NSX Segment is removed from the Security Group, the IP disappears. When the Segment is added back, the IP returns.

  • Searching for the persistent IP address in the NSX UI Global Search yields "No matching records found."

  • The IP address does not match the subnet of the Segment it appears to be associated with.

Environment

VMware NSX

Cause

This behavior is caused by the NSX IP Discovery Profile mechanism (such as ARP Snooping or VM Tools guest discovery) caching a realized binding on a Segment Port.

When a Segment is added to a Security Group, NSX dynamically includes all Effective Members of that segment including all logical ports and their associated IP addresses. Even if an IP is not part of the Segment's primary subnet, if a Guest OS on a virtual machine attached to that segment broadcasts an ARP request/announcement for that IP, NSX "discovers" it.

NSX caches this IP in the port's Realized Bindings under the assumption that the VM owns the IP. Because the IP is not a standalone NSX object, it will not appear in a Global Search, but it will dynamically inherit the Security Group membership of the Segment.

Resolution

To remove the persistent IP address from the Security Group, you must instruct NSX to ignore the discovered binding on the specific segment port.

Step 1: Identify the Segment Port hosting the stale IP

  1. In the NSX Manager UI, navigate to Inventory > Groups.

  2. Click View Members next to the affected Security Group.

  3. Click the Effective Members tab.

  4. On the left pane, click on Segment Ports.

  5. Note the exact name/Attachment ID of the segment port listed here (e.g., VM-Name.vmx@...)

 

Step 2: Ignore the Binding on the Port

  1. Navigate to Networking > Segments.

  2. Locate the Segment that is a member of your Security Group.

  3. Click the number hyperlink under the Ports column.

  4. Locate the specific port identified in Step 1.

  5. Click the > arrow next to the port name to expand the port details.

  6. Scroll down to the Address Bindings section.

  7. Click on Realized Bindings. You will see the stale IP listed here, along with its Discovery Type (e.g., ARP).

  8. Select the IP address and click Copy to Ignore Bindings (Alternatively, expand the Ignored Bindings section and manually add the IP address there).

  9. Click Save or Apply.

 

Once the IP is added to the Ignored Bindings list, NSX will immediately flush the IP from the port's cached state, and it will drop out of the Security Group's Effective Members list.

Powered by Wolken Software