wombatclov
Contributor
Contributor

Storage V-Motion Drops NSX-T Distributed Firewall

Jump to solution

This is a complicated one and leaving us scratching our heads.

Brand new NSX-T deployment.  Brand new, fresh install of NSX-T 3.2, vCenter 7.latest, and esxi 7.latest.

Installed NSX-T from the v-center UI, and chose the security model, and installed that on all the hosts. Everything clean, no mods. 

I built up a fresh Linux VM, and the Distributed Firewall rules were working as expected. I compute motioned the VM around, and it was fine. However, when I storage motion the VM, it appears to completely drop any firewalling it had applied. Not only do packets get through when they should not, there is no more logging about firewalling that VM- nothing (so it is not a firewall rule position issue). As if NSX-T did not exist on that VM. If I move the VM back to the data-store it came from, I do not get the firewall back. It is still gone.

I replicated this several times. One more time I built another fresh VM- did the same things, and the same thing happened.

I also brought over an existing VM from the vcenter 6.7 environment. Again, it was fine, until I storage-motioned it off to another datastore.

Anyone seen this?  Since we used the simplified "security only" install, NSX uses the VDS's from vCenter, and we have no customization in NSX in terms of transport profiles and uplinks.

0 Kudos
1 Solution

Accepted Solutions
wombatclov
Contributor
Contributor

I worked with technical support on this, whom escalated to engineering.  It is a known bug, affecting DFW on DVPGs and that there is a fix to be released in NSX-T 3.2.2 when it goes Generally Available this quarter. As a workaround until then, they have indicated that a combined Compute+Storage VMotion should not trigger this issue, which we verified.

View solution in original post

3 Replies
wombatclov
Contributor
Contributor

I worked with technical support on this, whom escalated to engineering.  It is a known bug, affecting DFW on DVPGs and that there is a fix to be released in NSX-T 3.2.2 when it goes Generally Available this quarter. As a workaround until then, they have indicated that a combined Compute+Storage VMotion should not trigger this issue, which we verified.

jeffj2000
Enthusiast
Enthusiast

Do you happen to have the bug number on this, I was about to do lots of Storage vMotion on v3.2.1 and I want to open a support ticket to get some more information. Do you know what release the bug was in? Was it definitely a fix for a combined vMotion/Storage vMotion? This is such a strange bug. Thank you.

0 Kudos
wombatclov
Contributor
Contributor

I was not given a bug number.  Only that our issue was re-produced and a fix will be in the next release.  We are running 3.2.1.  I believe the fix will be in 3.2.2.  This apparently is only an issue when the "quick start" method is used, setup with "security only" and using VDS version 7, rather than the NSX-T switches.

0 Kudos