VMware NSX

 View Only
  • 1.  Netsclar VPX 200 with NSX

    Posted Jun 19, 2017 07:07 AM

    HI all

    I deployed NSX and implemented distribution firewall to all of my production servers and everything works fine.

    Last week I tried to migrate my physically  separated DMZ virtual environment  to  production virtual environment and apply Distribution firewall police to create logical defined DMZ environment.

    All other systems such as Apache reverse proxy, lync edge works fine but Citrix netscaler VPX 200 behave very strange and very unstable. If I assign VPX to   Exclusion list it works fine.

    I checked log insight during the distribution firewall policy applied I found thousands of packet dropped (packet type A FA and PA)

    Topology information

    Before                                                            After 

    ESXI 5.5                                                         ESXI 6.1

    Standard switch port group                              Distribution Switch port group

    NO NSX                                                            NSX deployed and Distribution firewall policy applied.

    FYI netscaler VPX have multiple virtual host for load balancing and have one mac address with multiple virtual IP.

    Anybody have any idea why this problem is happening to netscaler only, I have more than 300 guest OS behind distribution firewall and all works fine except VPX the only different is VPX have signal mac address with multiple virtual IP address.

    Cheers

    Binaya



  • 2.  RE: Netsclar VPX 200 with NSX

    Broadcom Employee
    Posted Jul 04, 2017 10:49 AM

    Possible required ports closed? Recommend to run packet capture?



  • 3.  RE: Netsclar VPX 200 with NSX

    Posted Jul 12, 2017 12:34 PM

    This might be down to how DFW works.

    > ... I found thousands of packet dropped (packet type A FA and PA)

    These are packets with TCP flags as

    A - Ack

    FA - Fin+Ack

    PA - Push+Ack

    You did not share how many interfaces the VPX has but this might be because the traffic comes and goes in an asymmetric manner (let's say leaves vnic0 and comes in on vnic1)

    So how many interfaces are on the VPX?

    And check out the following KBs:

    Stateful behavior of the NSX Distributed Firewall in an asymmetric routing environment (2145340)

    Distributed Firewall (DFW) packets hitting Default Rule instead of previous Rule allowing/blocking designated traffic (2149818)

    HTH