VMware Networking Community
thierryn
Contributor
Contributor
‎01-03-2020 06:52 AM

Gateway firewall uninitialized problem ?

Hi,

My lab setup includes two logical switches and 1 tier0 router, as summarized in the attached pdf.

interface to segment 1 = 172.25.25.254

interface to segment 2 = 172.25.26.254

From the outside world, I'm able to ping the segment 1 interface 172.25.25.254 but not any of the VMs that are connected to this segment (for example a Linux machine at 172.25.25.100).

From this VM (172.25.25.100) I can ping my physical network gateway, so the packets are well routed on my physical network. The echo replies are well sent by this gateway, but do not reach my VM.

As all the layer 3 seems working fine, I wonder whether I have a security issue (packets not allowed to pass the segment interface up to the VM).

I've had a look at the gateway firewall and see that the default policy is "uninitialized".

I've not found any way to initialize it and have created a custom one which is well initialized. This should allow all traffic.

When I've enabled this, my ping has been succesfull for some seconds, then traffic was blocked again... Really strange behavior.

Any idea ?

Thanks,

Thierry

Preview file
262 KB
0 Kudos
2 Replies
ashsevenuk80
Enthusiast
Enthusiast
‎01-03-2020 09:12 AM

Hi

I'm not a 100% sure if its an option within NSX-T but when i had a similar problem in NSX-V, i added the VMs to an exclusion list. this should tell you if a firewall within is blocking the communication.

Please don't forget to give a thumbs up if the above is helpful in troubleshooting the main cause.

Thank you

Ash

0 Kudos
thierryn
Contributor
Contributor
‎01-03-2020 09:37 AM

I do not see any possibility to add exceptions to certain VMs...

I've just rebooted the NSX Manager.

At the end of the process, the traffic is temporarily allowed, then blocked... I presume a security policy that is being enforced...

But the problem remains : Gateway firewall rule status stays on "uninitialized"...

0 Kudos