VMware Networking Community
ravik3677
Contributor
Contributor

NSX-T 3.1.1 DFW issue

Hi All

We are seeing an issue in our env whereby our applications intermittently do not work. What I see in the DFW logs is that the initial SYN packet from the client to the server is allowed but the SYN-ACK back from the server to the client is dropped on the DFW. This does not happen all the time, i see this when users complain of application issues. Any ideas why the SYN-ACK packet of the 3 WAY handshake is getting dropped. Will appreciate if anyone can share any insight.

 

ravik3677_0-1619749737127.png

 

Thanks

 

Labels (1)
Reply
0 Kudos
3 Replies
mauricioamorim
VMware Employee
VMware Employee

Is this a stateless or stateful rule? Check the section where the rule is and make sure it is marked as stateful. Have you created it for both directions? 

Reply
0 Kudos
RShankar22
VMware Employee
VMware Employee

SA packet is getting dropped by different FW rule (5475).

Can you please share the config for DFW rules 5475 & 5459.

 

Reply
0 Kudos
Carlos503
Contributor
Contributor

Posts about NSX-T written by Tomas Fojta.either NSX-T backed Org VDC or the migration tool (yet), but some issues can be The DFW supports IP Sets and Security Groups containing network objects that apply rules to all connected VMs.

 

walgreenslistens

Reply
0 Kudos