That was my theory too as we do use promiscuous mode on the fenced port group. Glad someone has the same theory.

Hi. Did you manage to solve this? We're getting between 10 and 100 messages per host per second (which Log Insight gracefully shows me graphically).

The error messages are for the nested ESXi hosts that we are running in the lab environment. If I vMotion them to different underlying hosts, those hosts start spewing these messages instead (again displayed by Log Insight in the "over time grouped by hostname" view).

Snippet:

---

2013-12-18T12:34:14.694Z esxi-03.rtsvl.local vmkernel: cpu14:135515)vsla-fence: Fence_Decapsulate:297: port:41000c4b1550:OPI:{01,00003e} Drop unicast packet with hostKeyMac as dest mac

2013-12-18T12:34:14.694Z esxi-03.rtsvl.local vmkernel: cpu14:135515)vsla-fence: Fence_Decapsulate:297: port:41000c4b27e0:OPI:{01,000044} Drop unicast packet with hostKeyMac as dest mac

2013-12-18T12:34:14.694Z esxi-03.rtsvl.local vmkernel: cpu14:135515)vsla-fence: Fence_Decapsulate:297: port:41000c4b3a70:OPI:{01,00003e} Drop unicast packet with hostKeyMac as dest mac

2013-12-18T12:34:14.694Z esxi-03.rtsvl.local vmkernel: cpu14:135515)vsla-fence: Fence_Decapsulate:297: port:41000c4b4d00:OPI:{01,00003f} Drop unicast packet with hostKeyMac as dest mac

2013-12-18T12:34:14.694Z esxi-03.rtsvl.local vmkernel: cpu14:135515)vsla-fence: Fence_Decapsulate:297: port:41000c4a6d80:OPI:{01,00004b} Drop unicast packet with hostKeyMac as dest mac

---

/Anders

The only workaround is to use a different network pool type completely.  e.g. Switch to VXLAN.

This is a known issue when using Promiscuous Mode with VCNI, and why one of the reasons Prom Mode isn't enabled by default (prom mode isn't needed for a lot of use cases, except a few like Nested hypervisors or network appliance testing).

Thanks for the info!

Yes, the reason why we are running Prom Mode is because we are running nested ESXi hosts, which are part of the lab kits for the official VMware courses. I wasn't involved in setting it up, but I assume that was the best design choice back then.

Could you point me in the right direction on where to find more information on how to run nested ESXi hosts without using Prom Mode port groups? Would upgrading vSphere and vCD to 5.5 help us get more alternatives on how to achieve this?

(Ping magander )

Hi,

don't think an upgrade to 5.5 will help. See the Promiscous mode section in the following blog, http://www.virtuallyghetto.com/2013/11/why-is-promiscuous-mode-forged.html

Haven't tested to set to reject though so i'm not certain.

Prom Mode is required for Nested ESXi hosts for some networking features to function, same with Forged Transmits (since nested VM MACs will be on the network traffic).

The logging of the vsla-fence message can become a burden on the physical ESXi host producing it.  Specifically Syslog cannot handle the amount of messages.  If that happens then you might see the ESXi host briefly disconnect from vCenter because other items (hostd) cannot write log entries fast enough.

the message is a side affect of the vCNI networking module.  If you use VXLAN, it won't produce this error state ... this is my strong suggestion if possible.  there are blogs on how to do the Forged Transmits and Prom mode with ESXi in a more automated sense since you can't do it like vCNI pools.