Symptoms:
- East West network security using 3rd party chaining is configured in the environment, also known as Service Insertion (SI)
- A collapsed design is used with NSX-T Edge VMs running on ESXi hosts prepared for NSX
- Edge VM network interfaces connect to VLAN Segments
- On the ESXi host, it can be seen that the Edge VM has a slot 12 filter present
#summarize-dvfilter
world 57668912 vmm0:Edge01 vcUuid:'50 20 ef 8c 85 39 18 57-13 d6 79 82 ec 05 c2 1b'
port 50331712 Edge01.eth2
vNic slot 12
name: nic-57668912-eth2-vmware-si.12
agentName: vmware-si
state: IOChain Attached
vmState: Detached
failurePolicy: failOpen
serviceVMID: none
filter source: Dynamic Filter Creation
- The slot 12 dvfilter has at least one rule, in this case a default allow rule
#vsipioctl getrules -f nic-34905814-eth2-vmware-si.12
ruleset mainrs {
# generation number: 0
# realization time : 2020-11-05T11:27:45
rule 1024 at 1 inout protocol any from any to any pbr pass-through;
- Packets are dropping on the Service Insertion filter
On the ESXi, identify the switchport of the Edge VM interface
#net-stats -l | grep "Edge01.eth2"
50331712 5 9 DvsPortset-1 00:50:56:a0:ec:f9 Edge01.eth2
#vsish -e get /net/portsets/DvsPortset-1/ports/50331712
NETX_GVM_INPUT_PRE <netx-pre-gvm2s:0x431701a5e2a8>
pktsStarted:81892462
pktsPassed:81771908
pktsDropped:120554 <<<
pktsFiltered:0
pktsQueued:0
pktsFaulted:0
pktsInjected:0
pktErrors:0