TCP port 69 is commonly exploited by trojans, and may be used for TFTP. Does one of these systems have a client security application such as Trend/Symantec/McAfee or do you have any of this traffic traversing NGFW? I setup an nginx instance on port 69 in my lab and traffic flows correctly.
Also can you share your Firewall policy that is attached to the VMs? 6.2.3 added a TFTP ALG, and I am wondering if the DFW is seeing a HTTP transfer on the TFTP port and the action is action is due to expecting TFTP and not seeing a TFTP transfer.
We have install Secure Appliance before, but the reason we think it might caused by NSX firewall is
After we remove security appliance from Service Deployments:
- If we disable the NSX firewall in vCNS > Installation > Host Preparation > Firewall => restart browser(because browser might have cache) and connect to http server. We can connect successfully.
- If we enable the NSX firewall => restart browser and connect again, the page cannot be loaded. (with Wireshark we observed ACK packets are missing)
The wired thing is, same case can also reproduced by my colleague.
May I know if you are using NSX 6.2.4?
The IE browser might need to restart, cause sometimes it will cache previous successful loaded page.
And the timing between NSX firewall service switch on and off might need to wait 1 or 2 minutes.
In my experiment, we are using the default NSX firewall rule:
I ran more extensive tests today and have identified an inconsistency in behavior. Have you opened a SR on this?
I have confirmed the bug with the PM in charge of the DFW. There will be a fix coming in the upcoming release.