• Traffic connectivity issue for the traffic across the VPC observed.
• When testing connectivity between the impacted source and destination, in Traceflow tool, observation with drop reason CONNECTIVITY_POLICY is observed.
• The following outputs can be observed in Traceflow:
  
  
  
  
• Traceflow observations via REST API (GET https://<manager-ip>/polcy/api/v1/infra/traceflows/<traceflow-id>/observations) may be similar to the below:
  {
    "interface_path" : "/orgs/default/projects/default/transit-gateways/default",
    "src_connectivity_policy" : {
      "connectivity_scope" : "NONE"
    },
    "dst_connectivity_policy" : {
      "connectivity_policy_path" : "/orgs/default/projects/default/transit-gateways/default/connectivity-policies/<policy-name>",
      "connectivity_policy_name" : "<policy-name>",
      "connectivity_scope" : "COMMUNITY"
    },
    "resource_type" : "TraceflowObservationDroppedLogical",
    "sequence_no" : 0,
    "transport_node_id" : "<TRANSPORT_NODE_UUID>",
    "transport_node_name" : "<TRANSPORT_NODE_NAME>",
    "transport_node_type" : "ESX",
    "timestamp" : 1766980669948,
    "timestamp_micro" : 1766980669948888,
    "component_type" : "TGW_CONNECTIVITY_POLICY",
    "component_sub_type" : "UNKNOWN",
    "component_name" : "Transit Gateway Connectivity Policy",
    "reason" : "CONNECTIVITY_POLICY",
    "lport_id" : "<PORT_UUID>",
    "lport_name" : "<PORT_NAME>",
    "src_connectivity_policy_internal_id" : <CONNECTIVITY_POLICY_ID>,
    "dst_connectivity_policy_internal_id" : <CONNECTIVITY_POLICY_ID>
}

VCF Networking 9.1

Traffic across the VPC is violating the connectivity policy rules (see the connectivity policy document in the additional information to understand the details of the connectivity policy).

Use the output of Traceflow tool to check whether the configured connectivity policy to drop the packet is reasonable:

• See the 'Source connectivity policy' and 'Destination connectivity policy' of the dropped packet.
• The drop reason is that the packet is not from any community connectivity policy and cannot communicate with the endpoint in a community connectivity policy (this is per the connectivity policy rule).
• Browse to the connectivity policy configuration page, and select the connectivity policy name.
• If using REST API, from the API output, derive the source connectivity policy and destination connectivity policy using the src_connectivity_policy and dst_connectivity_policy fields of the TraceflowObservationDroppedLogical.
• If the connectivity policy configured here is correct / expected, then the connectivity issue is also expected.
• If policy configuration isn't as expected, update the connectivity policy-related configuration to address this issue, e.g. by changing the members of the connectivity policy group.

• Configure a Connectivity Policy
• Traceflow
• NSX REST API GUIDE: GET /policy/api/v1/infra/traceflows/{traceflow-id}/observations
• 5 Things You Didn't Know You Can Do With Traceflow
• Troubleshooting NSX Traceflow