Search the VMware Knowledge Base (KB)
Products:
View by Article ID

DFW rules using SG not correctly being applied to VMs after NSX 6.2.3 install or upgrade (2146227)

  • 9 Ratings

Symptoms

After installing or upgrading to NSX for vSphere 6.2.3 with Distributed Firewall (DFW) and Security Groups (SG) configured, you experience these symptoms:
  • Traffic disruption may be encountered upon a vMotion operation on compute virtual machines followed by changes to configuration of the Global Address Sets in the SG referenced for that virtual machine

Purpose

Upgrading to NSX for vSphere 6.2.4 resolves this issue.

Cause

In NSX-V 6.2.3, a new Global Address set (Addrset) is introduced as an optimization feature. Any virtual machines that are created on NSX-V 6.2.3 would be using the Shared Global Addrset and would refer to the new Global Addrset.

After upgrading to NSX for vSphere 6.2.3, when virtual machines that were part of a SG that was created in NSX-V 6.2.3 and earlier version are migrated to another host running NSX-V 6.2.3, would continue to refer to the old local copy of Addrset and ignore new updates in the Global Addrset.

Resolution

This issue is resolved in VMware NSX for vSphere 6.2.4, available at VMware Downloads.

If you are unable upgrade at this time and have already encountered this issue, a workaround is available.

To work around this issue:
  1. Disable vMotion on the VMK interface on all hosts in the compute cluster.
  2. If your Default_Rule rule is set to DENY, change it to ALLOW.
  3. Disable Distributed Firewall (DFW), per cluster, one at a time.
  4. Wait 15 minutes between each cluster change.
  5. Enable Distributed Firewall (DFW), per cluster, one cluster at a time.
  6. Wait for all applications to recover. (Note: This process is application dependent and can take some time to recover. Some connections might get dropped based on when the Default_Rule to ALLOW would be picked up).
  7. Change the Default_Rule rule to DENY.

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 9 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 9 Ratings
Actions
KB: