I deployed NSX and implemented distribution firewall to all of my production servers and everything works fine.
Last week I tried to migrate my physically separated DMZ virtual environment to production virtual environment and apply Distribution firewall police to create logical defined DMZ environment.
All other systems such as Apache reverse proxy, lync edge works fine but Citrix netscaler VPX 200 behave very strange and very unstable. If I assign VPX to Exclusion list it works fine.
I checked log insight during the distribution firewall policy applied I found thousands of packet dropped (packet type A FA and PA)
ESXI 5.5 ESXI 6.1
Standard switch port group Distribution Switch port group
NO NSX NSX deployed and Distribution firewall policy applied.
FYI netscaler VPX have multiple virtual host for load balancing and have one mac address with multiple virtual IP.
Anybody have any idea why this problem is happening to netscaler only, I have more than 300 guest OS behind distribution firewall and all works fine except VPX the only different is VPX have signal mac address with multiple virtual IP address.
Possible required ports closed? Recommend to run packet capture?
This might be down to how DFW works.
> ... I found thousands of packet dropped (packet type A FA and PA)
These are packets with TCP flags as
A - Ack
FA - Fin+Ack
PA - Push+Ack
You did not share how many interfaces the VPX has but this might be because the traffic comes and goes in an asymmetric manner (let's say leaves vnic0 and comes in on vnic1)
So how many interfaces are on the VPX?
And check out the following KBs:
Stateful behavior of the NSX Distributed Firewall in an asymmetric routing environment (2145340)
Distributed Firewall (DFW) packets hitting Default Rule instead of previous Rule allowing/blocking d...