After upgrade to NSX-T 3.2.x, traffic is unexpectedly dropped by Gateway Firewall
search cancel

After upgrade to NSX-T 3.2.x, traffic is unexpectedly dropped by Gateway Firewall

book

Article ID: 319128

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

  • NSX-T Data Center 3.2.0 or 3.2.0.1.
  • Environment was previously upgraded to version 3.1.0.
  • Network traffic that should be allowed by the Tier-0 or Tier-1 Gateway default Allow rule is being dropped
  • Tier-0 or Tier-1 Gateways deployed new after upgrade are not impacted
  • The Policy UI shows 1 default Allow policy
  • The Manager UI shows 2 default sections, one Allow and one Reject
  •  Switch to Manager UI view. If this option is not available, enable it under System -> User Interface Settings
  •  Navigate to Security -> Edge Firewall
  •  From the dropdown select the Gateway
  •  Confirm there are 2 default policy sections 
    • "Policy_Default_Infra"  
    •   and
    • "Policy_Default_Infra_<nameorUUID>"

Environment

VMware NSX-T Data Center 3.x

Cause

During upgrade to 3.2.0 or 3.2.0.1, migration of firewall rules may incorrectly result in an additional default "Policy_Default_Infra" which drops traffic.
This impacts environments which were upgraded to 3.1.0 at an earlier time.

Resolution


This issue is resolved in NSX 3.2.1 and above.

Note, once an environment is impacted by the issue on 3.2.0/3.2.0.1 upgrading will not resolve the issue. The fix prevents the issue from occurring only.

Workaround:
If this issue is experienced on NSX-T, please open a new Case with Broadcom Support providing Manager and Edge logs.

Powered by Wolken Software