Symptoms:
DNAT for traffic coming in from the South and egressing to the North fails.

For example:

From IP1 > IP2 , if the traffic is DNAted on the downlink while entering the Edge to IP3, such that the traffic becomes IP1 > IP3 while egressing the North interface (Uplink), the return traffic back to IP1 may be IP3 > IP1, leading to the traffic failure.

VMware NSX-T Data Center 2.x
VMware NSX-T Data Center

This issue occurs as Firewall and NAT is implemented on the North interface as well as the South interface. In order to prevent multiple services happening in the North to South path, the service is typically applied on the North interface (DNAT, SNAT, FW) and skip the South interface (only SNAT, DNAT).

This leads to the condition that if DNAT was done on the South interface while entering from the logical side, when the return traffic comes back from the north interface, it hits the default firewall services "on the Uplink (North interface)" and then subsequently because of the optimization in place, skips the services on the South interface, leading to the reverse translation of DNAT not to happen.

This is a known issue affecting VMware NSX-T Data Center 2.x.

Currently, there is no resolution or workaround.

Impact/Risks:
DNAT traffic will not work from South to North.