Has anyone experienced or seen any bizarre firewall / routing issues with VMs running under NSX with multiple duplicate IPs?
Duplicate IPs being valid, i have created firewall rules using ST/ SG/IP/VM object and even any any rules to try avoid this and all fail to work correctly. As soon as i plant the VMs in the exclusion list it all magically works. What is even more strange is the default deny rule does not even log any drops from these VMs and there is nothing on in the firewall log of the hosts which these VMs run on.
Its just as bizarre as running ECMP with Reverse Path filtering on strict
Bizarre, but it's by design. Security Groups, VMs, etc., are just the logical objects within vCenter/NSX Manager. When you configure a firewall rule, NSX Manager evaluates the objects and send firewall rules down based on IPs. So if you have multiple VMs with the same IP, they will all match the rule.
To avoid that, you need to use Applied To field in your DFW rule to make sure that the rule is sent only to applicable VMs. So if you have two sets of VMs with overlapping address ranges, one set running on cluster1 and the other on cluster2 and you want to apply the rule only to VMs on cluster1, use cluster1 in Applied To field.
I have had it confirmed by the nsx and hcx teams this is by design and using VM objects in the NSX may result in not all the IP addresses being detected. as a work around you need to create IPset with the private ips for it to register the rules correctly. It would appear everyone else just uses the exclusion list which is a pain for each upgrade and is a lazy way of doing things.
Security Tags, Groups, VM objects etc all do not work, you need to use IPSet for duplicate private only.
That's two separate issues. If your IPs are not detected by VMware Tools, did you try to enable ARP Snooping?
ARP Snooping already enabled and nothing to do with VMware tools. NSX engineer confirmed the same issue in the labs and have it escalated as to why the Security Group , Tags do not work with HCX and private ip ranges that are duplicate.
This is only HCX i have never had any issues with any other VM or device throughout NSX's history