Drop counters in DFW for packets increments in presence of fragmented packets in NSX-v
book
Article ID: 321070
calendar_today
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
The packet drop counters are incrementing.
Running the getfilterstat -f nic-73312875-eth0-vmware-sfw.2 command displays output similar to:
For example:
/bin/vsipioctl getfilterstat -f nic-73312875-eth0-vmware-sfw.2 PACKETS IN OUT ------- -- --- v4 pass: 1741866240 2246525043 v4 drop: 258604075 68962297 <<<<<Drops are incrementing and REASON for Drops does not account for the drop packets
This issue occurs because when a fragmented packet is received, a copy of the packet is queued and original packet is dropped.
Note: This is where the drop counter increases.
When all the fragmented packets have been received, the fragmented packets are reassembled and run through the firewall. After the firewall result on this packet, the packet is re-fragmented as it was initially received and all the fragmented packets are sent on their way, hence you see that nothing was dropped.
Resolution
This is a known issue affecting VMware NSX for vSphere 6.3.6.
Currently, there is no resolution.
Workaround: To work around this issue, upgrade to NSX for vSphere 6.4.0 or later.
Note: Starting in NSX for vSphere 6.4.0 release, a counter is introduced which tracks these drops so that they can be accounted for.