Has anyone else managed to get the HCX appliances to work with NSX v installed with firewall rules? If i create firewall rules traffic passes through them as per the documentation, i have assigned ST and SGs but the gateway always drops but the tunnels remain up. As soon as i add it to the exclusion list it all magically works? it even drops with any any rules. I am wondering if it has something to do with the way the ST/ SG are working as several vms have the same private ips
|-- ssl connection(success)
|-- ssl handshake(success)
|-- gateway status(fail): Peer site connectivity is down
|-- Appliance System Status: good
|-- Peer Site Connectivity: down
|-- WANOPT 192.0.2.2 Status: up
|-- Tunnel t_1 Status: up , rx 45555526, tx 172285995
|-- Tunnel t_0 Status: up , rx 95071447, tx 209591053
|-- Tunnel t_2 Status: up , rx 4385286, tx 101590618
|-- Tunnel te_0 Status: up , rx 147018366, tx 485469324
A bit of an old post
HCX deploys several appliances with a private address range list local to the appliance. NSXV is unable to see these IPs and as such is unable to apply firewall rules which you have created using tags or groups. To get around this you have to use IP sets. With the later versions of HCX, i have noticed that after an upgrade the HCX appliances now appear in the global exclusion list of NSX.
This is as it is intended and after many NSX V engineer meetings and HCX engineers looking this is just how it is...