What exactly does adding a VM to Exclusion list do

ashsevenuk80 · ‎02-26-2019

Hi,

I'm running a Citrix setup via NSX, for this I have GI running. Everything is running as it should be however I'm having trouble with a pair of DFS servers replicating from site to site. not running cross vCenters, only have DFW setup, not using NSX for anything other than DFW.

When NSX is disabled DFS servers from site to site work fine. we don't have ESG firewall setup.

Could the GIs be restricting the DFWs from communicating with each other?

I've tried adding the pair of DFS servers from each site to an exclusion list within NSX and that hasn't made a difference. Where am I going wrong

Sreec · ‎02-26-2019

When NSX is disabled DFS servers from site to site work fine. we don't have ESG firewall setup.

When you say NSX being disabled , what exactly are you referring ? Removing Firewall from the host or allowing all the traffic ? Also may i know what is the use case for GI in your setup ?

By default DFW allows all L2/L3 traffic , did you change the default policy by any chance? Remember user defined rules will be placed above default rule and priority is from TOP-BOTTOM , so double check your rule lists as well. Also for DFS replication mostly you have other dependencies like DNS/AD etc. So you should double check if communication is allowed for those entities as well from a firewall rule perspective. Excluding DFS alone might not be enough .

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

ashsevenuk80 · ‎02-27-2019

prior to NSX DFW it was working fine however since the addition of NSX DFW the site to site replication for DFW isn't working.

I'm using identity based DFW for a Citrix setup. All the Citrix servers and DFS servers are in the same cluster