The issue does not affect a vm that is attached directly to the VDS. It's only an issue with nsx segments.
Edge to Router connectivity: 2 failure domains each containing 2 edge vms and 2 routers, dynamic routing with bgp
Host to Switches: 2x10Gb connections per host, lacp
L2 or L3 dropping? After further testing, I believe the answer is that both L2 and L3 are working, but DFW may be blocking some of the packets during the outage.
To test L2/L3 connectivity I had wireshark logging all of the network traffic on the machine being vmotion'd. I was pinging from another vm on the same nsx segment. The packet trace showed about 16 seconds of missing ping packets, but in the middle of the ping outage are successful arp, dns, and ldap requests. The successful arp requests are from the gateway and the vm I'm pinging from.
The firewall rules for the dns and ldp requests allow requests from large IP ranges to security groups and are "applied to" DFW.
The firewall rules for the pings allow requests from any to security groups, and are "applied to" security groups.
The default firewall rule is set to drop.
Here is a picture of the packet trace:
vcenter reported that the vmotion completed during the same second that packets 1753-1754 were received.
10.7.6.76 is the system capturing the traffic and being vmotion'd
10.7.6.77 is the system sending the test ping packets. It's on the same network segment as the capturing system
10.7.6.73 is the tier-1 gateway for the nsx segment
10.7.2.40 and 10.7.2.18 are servers outside of this virtual infrastructure.
Thanks,
Erik