VMware Networking Community
lerf2
Contributor
Contributor
‎10-14-2016 05:54 AM

NSX firewall block http traffic through TCP port 69

Hi,

I have encountered a wired issue with NSX Firewall (filter).

Once you enabled NSX Firewall even with "allow all traffic" default rule.


The HTTP packet through TCP port 69 will be dropped.


The 3 way handshaking can complete, but the following ACK packet for data transmit will be dropped.

There is no block event in NSX. But if you turn on Live Flow, you will see the Flow State is "Blocked".


This case can easily reproduced by:


1. Enable NSX firewall services.

2. With the default FW rules, the last rule is allow all traffic.

3. Place a web server listening on port 69 not protected by NSX.

4. Start a VM with NSX network protection, open IE browser, connect to http://{web_server}:69/


If you capture wireshark in the VM, you will see after 3 way handshaking completed, the following ACK for server response will missing.

If you turn on Live Flow on the VM nic, you will see Flow State "Blocked".


Does anyone know what happened?



Environment:

NSX 6.24

ESXi 5.5

Client VM Windows 2008 R2

Http Server VM (Not in NSX cluster): Ubuntu 14.04 x64

5 Replies
admin
Immortal
Immortal
‎10-17-2016 11:19 AM

TCP port 69 is commonly exploited by trojans, and may be used for TFTP.  Does one of these systems have a client security application such as Trend/Symantec/McAfee or do you have any of this traffic traversing NGFW?  I setup an nginx instance on port 69 in my lab and traffic flows correctly.

0 Kudos
admin
Immortal
Immortal
‎10-17-2016 11:24 AM

Also can you share your Firewall policy that is attached to the VMs?   6.2.3 added a TFTP ALG, and I am wondering if the DFW is seeing a HTTP transfer on the TFTP port and the action is action is due to expecting TFTP and not seeing a TFTP transfer.

0 Kudos
lerf2
Contributor
Contributor
‎10-18-2016 05:43 AM

hi hparrott,

We have install Secure Appliance before, but the reason we think it might caused by NSX firewall is

After we remove security appliance from Service Deployments:

  • If we disable the NSX firewall in vCNS > Installation > Host Preparation > Firewall => restart browser(because browser might have cache) and connect to http server. We can connect successfully.
  • If we enable the NSX firewall => restart browser and connect again, the page cannot be loaded. (with Wireshark we observed ACK packets are missing)

The wired thing is, same case can also reproduced by my colleague.

May I know if you are using NSX 6.2.4?

The IE browser might need to restart, cause sometimes it will cache previous successful loaded page.

And the timing between NSX firewall service switch on and off might need to wait 1 or 2 minutes.

In my experiment, we are using the default NSX firewall rule:

Screen Shot 2016-10-18 at 8.24.52 PM.png

Thanks!

0 Kudos
admin
Immortal
Immortal
‎10-18-2016 09:15 AM

I ran more extensive tests today and have identified an inconsistency in behavior.  Have you opened a SR on this? 

0 Kudos
admin
Immortal
Immortal
‎10-20-2016 07:59 AM

I have confirmed the bug with the PM in charge of the DFW.  There will be a fix coming in the upcoming release.

-Heath