Solved: NSX DFW Firewall - Page 2

rajeevsrikant · ‎12-08-2016

I am running NSX version 6.2.2 & I have configured the below DFW.

I was testing the ACL with the trace flow feature of NSX. The source was selected as 10.10.10.10 VM & the destination as 20.20.20.20 VM with TCP destination port as 22.

The trace flow shows that the traffic was dropped by the deny rule (The rule ID was showing that of the Deny rule)

Not sure why they rule of SSH was not followed.

But when the actual real SSH session was initiated from 10.10.10.10 VM to 20.20.20.20 VM it was working & the SSH session was established.

But when tested via trace flow it is showing it is dropped by the Deny rule.

Any idea what could be the reason.

I was not able to see the logs since they are in production.

rajeevsrikant · ‎12-18-2016

Thanks all for your inputs.

Since not able to identify the reason for this will try to reach VMware Tech support if they can provide some insight to this.

rajeevsrikant · ‎12-18-2016

Thanks all for your inputs.

Since not able to identify the reason for this will try to reach VMware Tech support if they can provide some insight to this.

dumlutimuralp2 · ‎12-22-2016

This is expected behaviour . Traceflow feature , by default, sets TCP flag as "ACK" - Acknowledge. You need to clear Ack and instead choose "Syn" as the TCP flag on Traceflow settings. The SSH rule would look for new session requests which means , SSH packets coming in with a "Syn" TCP flag.

rajeevsrikant · ‎12-22-2016

it worked thanks....

All

NSX DFW Firewall