OK, so this is a weird one. I had V installed, ripped it out by manual VIB uninstall and am now installing T.

I’m using the DFW in NSX-T 2.3.1 in my home lab to block pings (fairly trivial use case) and I’m not able to get it to work either in my home lab or in the my employer solution center. This is happening both for layer 3 and layer 2 rules. I even tried blocking all traffic between VMs on an NSX-T logical switch and nothing is getting matched.

• The DFW is enabled
• The rules are very simple and the sections too, (this worked with V)
• Tried drop and reject
• 3 controllers are deployed and green
• All hosts are deployed and green
• Tried IP instead of NSGroup
• When I run a summarize-dvfilter (attached) on the host that the test VM is running on, I see the world and name, but when I run a vsipioctl getrules -f <rulename> I get “no rules” and “no address sets” respectively for the rules
  • ^ This is what concerns me the most, I believe the rules aren't getting pushed to the hosts
• This happens whether the VM is attached to an N-VDS or VDS
• tail -f /var/log/dfwpktlogs.log yields: “Caught deadly signal 15, halting”, thinking that’s not good?
• Tried uninstalling NSX-T from the cluster (Succesffully) and re-installing it, same issue.

I'm totally weirded out that I'm seeing this in two distinct environments. Since it's lab environments, I don't have support, but I could easilly see people falling into this circumstance where V was previously installed and the ESXi install was just re-used.