Service chaining not working


I have a cluster with 4 ESXi hosts.

I deployed 2 services in this setup, both with Functions = "IDS IPS" and Deployment Mechanism = "Host based vNIC", but each service has a different Service Manager IP. This means that for each ESXi host there are 2 Agent VMs deployed (one for each service).

On one of the ESXi hosts there are 2 Vms which are generating traffic. For each of the 2 services I created a Security Group containing these 2 VMs and a Security Policy with rules that match both incoming and outgoing traffic to the Service Group.

I select "Redirect to Service" Action and the default Vendor Template created with the Service for the Profile in each rule (Network Introspection Service) of each Security Policy (So I have 2 Security Policies SP1 and SP2, with 2 rules each).

My problem is that I can only see packets in one of the 2 Agent VMs corresponding to this ESXi host at a time.

After I edit one of the Security policies, SP1,  (even without making any change) and press Finish I can see the packets in the Agent VM corresponding to that SP's Service, Service1.

Once I edit the other Security Policy, SP2,  and press Finish I can see the packets in the other Agent VM corresponding to the second SP's Service, Service2.

From what I understood there can be 11 services from different providers in a chain and all should be able to see the traffic.

Do you have any idea what else can I try to be able to see the packets in both Agent VMs at the same time?

Thank you,


0 Kudos
1 Reply

Dear Alexandra,

from what I understand you are assigning two policies to one security group, each containing one network introspection rule.

From what I understand about network introspection, only the network introspection rule of one policy will be effective if more than one policy is assigned to a security group. It will be the policy with the highest weight. New policies will have a default weight of the-highest-current-weight-of-all-policies + 1000 which might explain that you see only the service of the latest edited/created policy to receive packets. Check the weight as you edit/save a policy.

Your solution might be to create only one policy with two network introspection rules and apply it to the security group. Maybe this link will help you:

NSX 6 Documentation Center

The order of the introspection rules will be defined by the service-slot the third party service is configured for. The lowest slot is processed first.

I hope that helps,

MiKa from Vienna

Packet herder and stateful inspector.
0 Kudos