Search the VMware Knowledge Base (KB)
View by Article ID

IPv4 IP address do not get auto approved when SpoofGuard policy is set to Trust On First Use (TOFU) (2144649)

  • 2 Ratings
Language Editions

Symptoms

  • IPv4 address do not get auto approved when SpoofGuard policy is set to Trust On First Use (TOFU)
  • IPv6 address link local address gets auto approved, IPv4 address must be manually approved

Cause

This issue occurs due to these conditions:
  • The NSX Manager Trust On First Use (TOFU) does not take in to account both IPv4 and IPv6 separately and allocates only one address as a TOFU address.
  • The IPv6 address is reported to the NSX Manager from the hypervisor before the IPv4 address. This explains why the IPv6 address is the one marked as TOFU in the vSphere Web Client SpoofGuard management console.

Resolution

This issue is resolved in VMware NSX for vSphere 6.3.0, available at VMware Downloads.

To work around this issue if you do not want to upgrade, apply one of these workarounds:

Workaround 1: When SpoofGuard is enabled, deselect local addresses.
  1. In the vSphere Web Client, navigate to Administration > Networking & Security > SpoofGuard.
  2. Select the relevant SpoofGuard policy.
  3. Click on the pencil icon which opens the Edit Policy wizard.
  4. Uncheck the Allow local address (169.254.0.0/16) and fe80::/64) as valid address in this namespace.
  5. Click Next.
  6. Click Finish.

    Note: This option does not guarantee that an IPv6 address would not be reported before the IPv4 address, this option is only effective if IPv6 is not configured or required for the virtual machine.

Workaround 2: Disable IP discovery (set it to None).

  1. In the vSphere Web Client, navigate to Administration > Networking & Security > SpoofGuard.
  2. Select the relevant SpoofGuard policy.
  3. Click on the change button beside IP Detection Type.
  4. Change the Type to None.

    Note: This disables the IPv6 link local address to be reported to the NSX Manager by the ESXi.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 2 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 2 Ratings
Actions
KB: