Network traffic is blocked when using IDS/IPS or L7 Context DFW
search cancel

Network traffic is blocked when using IDS/IPS or L7 Context DFW

book

Article ID: 318715

calendar_today

Updated On:

Products

VMware NSX Networking VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • NSX-T Data Center 3.x
  • ESXi 7.0 Update 1
  • Either or both features are configured in NSX-T
    • L7 Context Profile for DFW
    • IDPS (Detect Only or Detect and Prevent)
  • After upgrading the ESXi hosts to 7.0 Update 1 all network traffic subject to these features is blocked
  • To confirm the issue matches check the slow path filter stats on ESXi commandline

for i in `vsish -e ls /net/dvFilter/slowpaths`; do vsish -e cat /net/dvFilter/slowpaths/${i}stats; done

  • On each set of stats all the counters should be the same value or at least be very close in value.  An example from an environment not impacted by this issue e.g.:

    dvFilter slow path agent stats {
       kernel_rx:64321          
       kernel_tx:64321           
       user_rx:64321
       user_tx:64321
    }

  • A system experiencing this issue will have large deviation in one or more counter values e.g.

    dvFilter slow path agent stats {
       kernel_rx:759598   
       kernel_tx:758029         <<<<
       user_rx:759598
       user_tx:759598
    }



    Environment

    VMware NSX-T Data Center 3.x
    VMware NSX-T Data Center
    VMware vSphere ESXi 7.0.0

    Cause

    Traffic subject to NSX-T IDS/IPS (either detect-only or detect and prevent mode) or L7 context Profile DFW is blocked when running ESXi 7.0 Update 1 and NSX-T 3.x. A lockup condition occurs on the dvfilter blocking that traffic. This condition can be triggered just by having the IDPS engine enabled.  As a result, all traffic to and from all workloads on the hypervisor subject to IDS/IPS or L7 Context Profile DFW will be dropped.  Traffic not subject to IDS/IPS or L7 Context Profile DFW is not impacted and as soon as IDS/IPS is disabled or no longer applied to traffic, traffic flow is restored.

    Resolution

    The resolution for this issue requires is a combination of ESXi and NSX updates.
    This issue is resolved in ESXi 7.0 Update 2 and above in combination with NSX-T 3.1.3.7.4 or 3.2.1.1, and above.

    Workaround:

    When traffic is in a blocking state, restarting the nsx-vdpi service on the ESXi host will temporarily resolve the issue

    /etc/init.d/nsx-vdpi restart


    For environments not yet upgraded to ESXi 7 Update 2, the following workaround can be used.

    Note: this workaround resolve the ESXi side issue only and the NSX software fix is still required for a complete workaround.

     

    Configuration change at ESXi level that will prevent the traffic blocking condition while allowing the NSX-T features to function as normal
        a. Log into each ESXi and run the following command:

    esxcfg-advcfg --set-kernel "FALSE" netPSBlockableLock

        b. Reboot the ESXi host
        c. Verify the change:

    esxcfg-advcfg --get-kernel netPSBlockableLock

    Note: There is no known performance impact caused by applying the above configuration.


    Powered by Wolken Software