Hello there,
We have enviroment with NSX-V 6.4.6 and having a drop traffic that we dont know why is dropping on a specific rule.
Log dfw:
2020-08-06T10:54:59.805Z 48800 INET match PASS domain-c8/1225 OUT 48 TCP 10.140.40.41/37308->10.140.40.42/22 S
2020-08-06T10:54:59.806Z 59736 INET match PASS domain-c8/1225 IN 48 TCP 10.140.40.41/37308->10.140.40.42/22 S
Rule id 1225:
Src: any
Dst: LS_management (10.80.80.0/22)
Service: any
VM A needs to stablish ssh connection to VM B and its drop by the rule above.
VM A: 10.140.40.41
VM B: 10.140.40.42
IP address of vms isnt belongs to LS_management. Is there any way to know why this kind of traffic its matching on that rule?
Thanks!!
Your logs is stating match PASS which means DFW is passing the traffic as per the documentation here: Firewall Logs
If it's dropping the trafic, it should say something like below
2020-08-06T10:54:59.805Z 48800 INET match DROP domain-c8/#### OUT 48 TCP 10.140.40.41/37308->10.140.40.42/22 S
For validating the rule, you can use NSX Central CLI from NSX Manager or vsipioctl from the ESXi host
Check out this blog post for vsipioctl: https://networkinferno.net/validating-distributed-firewall-rulesets-in-nsx
NSX Central CLI will be something like below and you would need to know the ESXi host id, and the filtername
nsx-manager> show dfw host host-id filter nic-###-sfw.2
addrsets Show addrsets for the virtual nic filter
discoveredips get discovered VM IPs for the virtual nic filter
filterstats Show stats for a virtual nic filter
flows Show flows for the virtual nic filter
rule Show rule for the given rule-id
rules Show rules configured on a virtual nic filter
spoofguard Show spoofguard info for the virtual nic filter
stats Show stats for rules configured on a virtual nic filter
Hi,
The previous comment trace shows the policy allowing the traffic. The actual trace when I deny traffic is:
2020-08-06T11:35:59.152Z 48800 INET match DROP domain-c8/1225 OUT 48 TCP 10.140.40.41/37512->10.140.40.42/22 S
2020-08-06T11:36:00.153Z 48800 INET match DROP domain-c8/1225 OUT 48 TCP 10.140.40.41/37512->10.140.40.42/22 S
Thanks.
I can see that your extract is dropping connections between two vms in network 10.140.40.x but on the first post your firewall rule says that traffic is allowed from any source BUT to destination 10.80.80.x.
Is this your only firewall rule you have configured? Because the firewall rule you mentioned above is not matching the conditions of allowing the traffic.
Hi,
There are more rules, but the one indicated by the logs is the one that blocks the traffic and the configuration of the rule does not correspond to the blocking of those addresses, so I transfer the query here.
Can I provide you with any more information about the policy configuration to clarify the blockade?
Do you have access to ESXi SSH or to NSX Manager SSH?
To validate via ESXi SSH: https://networkinferno.net/validating-distributed-firewall-rulesets-in-nsx
Or using NSX Central CLI, locate the VM, what's the name, in which ESXi Host
For NSX Centrali CLI, SSH to NSX Manager and do the following:
show dfw cluster all < find the cluster-id
show dfw cluster cluster-id < find the host-id (ESXi Host)
show dfw host host-id < find the vm-id
show dfw vm vm-id < find the filter
show dfw host host-id filter nic-###-sfw.2 rules
show dfw host host-id filter nic-###-sfw.2 addrsets
Hi Bayu Wibowo
With your commands, I have verified that the IP of one of the machines (VM-B) appeared in the Virtualwire list and that is why it applied the firewall rule, blocking the traffic
addrset ip-virtualwire-37 {
# generation number: 1597225414140
# realization time : 2020-08-12T09:43:39
. . . ....
. . . ....
. . . ....
ip 10.80.82.16,
ip 10.80.82.201,
ip 10.80.82.202,
ip 10.40.40.49,
ip 10.40.40.42,
}
If looking for the virtual machine on the distributed switch it does not appear,
How can I remove the two IPs marked in red in Virtualwire/Distributed Port Group?
Thank you for all
Regards
is ip-virtualwire-37 > Logical Switch LS_management?
Do you have those IPs connected to the LS_Management?
If not, I'm not sure if that's expected or a bug.
I've tested in a lab, one VM has two IPs 10.80.80.x and 10.40.40.x on different vNICs
The Logical Switch object only retrieve the IP address that connected to the LS
As an alternative, you can use different objects e.g. Security Group or IPSet 10.40.40.x/y
Hi Bayu Wibowo
We have solved the blocking of the traffic through IPSet as you told us from the beginning and creating a rule explicitly, but we are going to take the case to support so that we can solve the problem, since we do not have the machines connected to this distributed switch.
We will try to include the support actions in this same forum so that you have the answer that they have given us.
Thanks for everything