Network communication issues on VM's on NSX segment prevents due to VM port Block State.

Products

VMware NSX

Issue/Introduction

A virtual machine appears in a blocked state on an NSX segment port. The affected VM cannot establish network connectivity despite being configured identically to other functional VMs on the same segment.
VMs on NSX segments have lost network connectivity after vMotion
After vMotion below log entries are seen on the ESXi Host /var/run/log/nsx-syslog.log
Er(179) nsx-opsagent[2103421]: NSX 2103421 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="21####3" level="ERROR" errorCode="MPA4###3"] [DoMpVifAttachRpc] MP_AddVnicAttachment() failed: RPC call to NSX management plane timeout. Please check if the connectivity between Host and NSX Manager is up.
In the NSX Manager /var/log/syslog we see below alarms indicating Port attach requests are failing.
WARN L2TaskExecutor15 InboundMessageRouter 77614 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Vertical message handler for app SwitchingVertical failed for inbound request f7######-####-####-####-##########fc for client-id 4c######-####-####-####-##########71
WARN L2TaskExecutor17 InboundMessageRouter 77614 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Vertical message handler for app SwitchingVertical failed for inbound request f1######-####-####-####-##########97 for client-id 30######-####-####-####-##########e3
In the NSX Manager /var/log/proton/nsxapi.log we see below alarms indicating Port attach requests are failing.
WARN L2TaskExecutor13 InboundMessageRouter 77614 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Vertical message handler for app SwitchingVertical failed for inbound request f7######-####-####-####-##########fc for client-id 4c######-####-####-####-##########971
org.bouncycastle.crypto.fips.FipsOperationError: Module in error status: proportionate test failed
at org.bouncycastle.crypto.fips.FipsStatus.isReady(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
.........

WARN L2TaskExecutor15 InboundMessageRouter 77614 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Vertical message handler for app SwitchingVertical failed for inbound request f1######-####-####-####-##########97 for client-id 30######-####-####-####-##########e3
org.bouncycastle.crypto.fips.FipsOperationError: Module in error status: proportionate test failed
at org.bouncycastle.crypto.fips.FipsStatus.isReady(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$BcService.newInstance(Unknown Source) ~[bc-fips-2.0.0.jar:2.0.0]
........

Steps to validate the issue:

Check ESXi host where the VM is running using net-dvs -l | grep -E "port |port.block|volatile.vlan|volatile.status"
Verify output shows "Port blocked by admin" status
Confirm VM is assigned to NSX segment in vCenter but missing from NSX Manager ports view
Validate other VMs on the same segment are functioning normally

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX 4.2.x

Cause

The issue occurs when the VM network port is blocked at the VDS level on the ESXi host, combined with NSX Manager cluster health issues that prevent proper port state synchronization. Critical services on NSX Manager nodes may be in a down state, preventing the cluster from properly managing and displaying port states across the environment. The VM port attach request is failing as the NSX Manager is affected by issue as described in the KB FIPS validation fails causing NSX Manager unavailability

Resolution

The FIPS Validation issue on the NSX Manager is resolved in VMware NSX version 4.2.3.3, If upgrade of NSX manager is not possible immediately Kindly perform one of the below workaround steps to recover network connectivity.

Workaround 1
Step 1: Identify the blocked port

SSH to the ESXi host where the affected VM is running
Identify the VDS name and PortUUID:
```
esxcfg-vswitch -l
```
Match port numbers with VM network adapters:
```
net-stats -l
```
Confirm the blocked status:
```
net-dvs -l | grep -E "port |port.block|volatile.vlan|volatile.status"
```
Look for output showing "Port blocked by admin" status.

Step 2: Unblock the VM port

Execute the unblock command using the values identified in Step 1:
```
net-dvs -s com.vmware.common.port.block=false <VDS-Name> -p <PortUUID>
```
Note: Replace <VDS-Name> with the actual VDS name and <PortUUID> with the port UUID from Step 1.
Verify the change in vSphere Client
- Navigate to the host's networking configuration
- Check that the port no longer shows as blocked
- Refresh the view if necessary

Workaround 2: Refresh VM network state

Perform a vMotion of the affected VM to another host
- This refreshes the network adapter state
- Ensures proper synchronization between ESXi and NSX Manager
Verify resolution:
- Check that the VM now appears in NSX Manager segment ports view
- Navigate to Networking > Segments > Select the segment > Ports
- Confirm the VM port is listed and shows as "Up"
Test connectivity from the VM to confirm network functionality is restored

If the above workaround does not resolve the VM communication issue Kindly perform rolling reboot of the NSX Managers (or the specific Manager affected by the FIPS validation fails causing NSX Manager unavailability).

Important: If the error persists after following these steps, contact Broadcom Support for further assistance.

Additional Information

Below Symptoms might also be seen in the environment

Virtual machines may have issues with IP allocation with DHCP