Highlighted
Contributor
Contributor

Clear connections table

Jump to solution

Hi All,

I am new to NSX and wondered if there was a way to clear the connections table on NSX to force client connections to reconnect through the DFW?  You can do this on the Cisco ASA by issuing a clear connections command, does something similar exist on NSX?

Thanks

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Commander
Commander

For doing this you should use Application Rule Manager from inside NSX and let the VMs do its normal function.

After that you can select which rules do you want and delete the ones you don't.

View solution in original post

0 Kudos
7 Replies
Highlighted
Commander
Commander

Hey garethholder​,


Everytime you create a new DFW rule it pushes it directly to the ESXi so if you want to start applying traffic segmentation you can do it immediately without the necessity of cleaning the VTEP table which could cause you connectivity issues.

0 Kudos
Highlighted
VMware Employee
VMware Employee

Are you referring you DFW rules ?   We have  session timers  -Create a Session Timer , those are global values which will have direct impact on the sessions. What are we trying to achieve ?

Cheers,
Sree | CKA|VCAP-NSX-T| VCIX-3X| VCAP-3X| VExpert 4x
0 Kudos
Highlighted
Contributor
Contributor

Hi,

Thanks for the replies.  NSX is set to pass all traffic and I am outputting default any any rule logs to a syslog server.  I am creating rules as I see the access on the syslog server and disabling logging for the newly created rules so I only capture what I need to create rules for.  Traffic to our PLC's are in the connections/state table and I dont see log entries for them once connected.  I would like to clear the connections table down if possible on the next production stop to force them to reconnect so I can see if I have missed any rules.  Hope this make sense.

Thanks

0 Kudos
Highlighted
VMware Employee
VMware Employee

This will be a tedious job :smileycool: . You should try VRNI for such use cases  Recommended Firewall Rules

Cheers,
Sree | CKA|VCAP-NSX-T| VCIX-3X| VCAP-3X| VExpert 4x
0 Kudos
Highlighted
Commander
Commander

For doing this you should use Application Rule Manager from inside NSX and let the VMs do its normal function.

After that you can select which rules do you want and delete the ones you don't.

View solution in original post

0 Kudos
Highlighted
User Moderator
User Moderator

Hi Gareth,

If you are referring to the flows in DFW session, you can clear them by adding VM(s) to Exclusion List, then remove it.

Adding VM(s) to Exclusion list will remove the VM(s) from DFW which would clear the connection

Refer to this KB:

Linux virtual machines with NFSv3 mounts experience an operating system hang after more than 15 minu...

  • Add the affected virtual machine to the NSX Manager exclusion list, and then remove it from the exclusion list. This removes all currently tracked flows and re-applies the Firewall. For more information, see the Exclude Virtual Machines from Firewall Protection section in the NSX Administration Guide.
Bayu Wibowo | VCIX6-DCV/NV Author of VMware NSX Cookbook http://bit.ly/NSXCookbook https://github.com/bayupw/PowerNSX-Scripts https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos
Highlighted
User Moderator
User Moderator

What syslog server do you use?
With NSX, you are entitled to use vRealize Log Insight (vRLI)

If you prefer to use vRLI as oppposed to vRNI to create rules, you can group the logs based on unique source/dest/protocol/port.

See this blog post on how to do that: https://www.sneaku.com/2017/05/05/log-insight-nsx-v-dfw/

Bayu Wibowo | VCIX6-DCV/NV Author of VMware NSX Cookbook http://bit.ly/NSXCookbook https://github.com/bayupw/PowerNSX-Scripts https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos