Drop counters in DFW for packets increments in presence of fragmented packets in NSX-v
search cancel

Drop counters in DFW for packets increments in presence of fragmented packets in NSX-v

book

Article ID: 321070

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • The packet drop counters are incrementing.
  • Running the getfilterstat -f nic-73312875-eth0-vmware-sfw.2 command displays output similar to:

    For example:

    /bin/vsipioctl getfilterstat -f nic-73312875-eth0-vmware-sfw.2
    PACKETS IN OUT
    ------- -- ---
    v4 pass: 1741866240 2246525043
    v4 drop: 258604075 68962297 <<<<< Drops are incrementing and REASON for Drops does not account for the drop packets

    v6 pass: 62677697 42678808
    v6 drop: 0 36
    v6 reject: 3 0

    BYTES IN OUT
    ----- -- ---
    v4 pass: 602021574988 3301412816442
    v4 drop: 0 0  <<<<<<<  Byte Drops are not incrementing

    v6 pass: 6145541059 3204135532
    v6 drop: 0 0
    v6 reject: 240 0


Environment

VMware NSX for vSphere 6.3.x

Cause

This issue occurs because when a fragmented packet is received, a copy of the packet is queued and original packet is dropped. 

Note: This is where the drop counter increases.

When all the fragmented packets have been received, the fragmented packets are reassembled and run through the firewall. After the firewall result on this packet, the packet is re-fragmented as it was initially received and all the fragmented packets are sent on their way, hence you see that nothing was dropped.

Resolution

This is a known issue affecting VMware NSX for vSphere 6.3.6.

Currently, there is no resolution.

Workaround:
To work around this issue, upgrade to NSX for vSphere 6.4.0 or later.

Note: Starting in NSX for vSphere 6.4.0 release, a counter is introduced which tracks these drops so that they can be accounted for.

Powered by Wolken Software