Hi everybody,
I have NSX 6.4 with several vxlans and software router between them (not an ESX Edge) without a rout to external network.
Since I've migrated everything from NSX 6.3 to NSX 6.4 I've got Warnings with the following text
"Possible DHCP DOS attack seen on the host. Please refer to NSX Manager and VM Kernel logs for details."
In NSX Manager's System Events I see messages like
Event DHCP_STARV occurred 2400 times on host <hostname>
vmkernel log referes to MAC address of software router
2018-04-06T15:19:03.404Z cpu4:1167695)WARNING: dvfilter-switch-security.throt: SwSecDhcpSnoopTx:600: nic-1167694-eth2-dvfilter-generic-vmware-swsec.1: Possible DHCP DosAttack on port 50331681(13724) 1 times from Mac :
I couldn't find anything related to this new feature of NSX.
Is this somethig I should worry? Or this are false alarms?
Since the time I posted this topic KB has been published VMware Knowledge Base
This is a known issue affecting VMware NSX for vSphere 6.4.x.
Currently, there is no resolution.
Those alarms looks to be genuine one since the NSX dashboard provides visibility to the overall health of NSX components and i believe you are receiving the alerts from NSX dashboards ? Mostly hardware address of the DHCP client is spoofed.Using the NSX Dashboard
I understand you don't have any external route , what is purpose of software router ? Are you leveraging DHCP services ?
Shure, there is a new section in Dashboard called 'Host Notifications' and there is 'DHCP Starvation' string.
As well this produces Alarms in web client.
Purpose of the router is to make a lab with simulation of Cisco devices. I didn't deploy this virtual router. However I suppose that it has DHCP server role as well.
So my goal is to understand what NSX tries to tell me?
Who is under attack from NSX perspective?
From the screenshots VM which is connected to DVS port -50331681(13724) is certainly under attack and you confirmed that it is the software router . Can you explore any firewall in that router and ensure appropriate rules are in place and block rest of the traffic ?
Actually this is software router which attacks VM on port 50331681(13724).
His MAC is mentioned in the error in vmkernel.log
However how can I figure out what VM is connected to port 50331681(13724) ?
Thanks.
ok, I see that 13724 is DV port id. And this is the port where software routert with mentioned in error MAC addess is connected.
Now I'm totaly confused and don't understand who is under attack.
Since the time I posted this topic KB has been published VMware Knowledge Base
This is a known issue affecting VMware NSX for vSphere 6.4.x.
Currently, there is no resolution.
Still happens in 6.4.4
When will this be fixed?
No idea, I disabled this warning as mententioned in KB