I have a cluster with 4 ESXi hosts.
I deployed 2 services in this setup, both with Functions = "IDS IPS" and Deployment Mechanism = "Host based vNIC", but each service has a different Service Manager IP. This means that for each ESXi host there are 2 Agent VMs deployed (one for each service).
On one of the ESXi hosts there are 2 Vms which are generating traffic. For each of the 2 services I created a Security Group containing these 2 VMs and a Security Policy with rules that match both incoming and outgoing traffic to the Service Group.
I select "Redirect to Service" Action and the default Vendor Template created with the Service for the Profile in each rule (Network Introspection Service) of each Security Policy (So I have 2 Security Policies SP1 and SP2, with 2 rules each).
My problem is that I can only see packets in one of the 2 Agent VMs corresponding to this ESXi host at a time.
After I edit one of the Security policies, SP1, (even without making any change) and press Finish I can see the packets in the Agent VM corresponding to that SP's Service, Service1.
Once I edit the other Security Policy, SP2, and press Finish I can see the packets in the other Agent VM corresponding to the second SP's Service, Service2.
From what I understood there can be 11 services from different providers in a chain and all should be able to see the traffic.
Do you have any idea what else can I try to be able to see the packets in both Agent VMs at the same time?
from what I understand you are assigning two policies to one security group, each containing one network introspection rule.
From what I understand about network introspection, only the network introspection rule of one policy will be effective if more than one policy is assigned to a security group. It will be the policy with the highest weight. New policies will have a default weight of the-highest-current-weight-of-all-policies + 1000 which might explain that you see only the service of the latest edited/created policy to receive packets. Check the weight as you edit/save a policy.
Your solution might be to create only one policy with two network introspection rules and apply it to the security group. Maybe this link will help you:
The order of the introspection rules will be defined by the service-slot the third party service is configured for. The lowest slot is processed first.
I hope that helps,
MiKa from Vienna