Networking on NPetersen

NSX Troubleshooting, what changed in the firewall?

Tue, 06 Sep 2022 00:10:00 +0100

I found a neat feature that I didn't know in the NSX Manager during a late night. Every publish/change makes a configuration point, that you can see what changed from then -> now.

This can be good for troubleshooting, something that stops working, that might be due to a DFW Configuration issue.

Go to the DFW, over the categories click "Actions" -> Under Drafts click "View" You will be presented with the saved configurations:

So lets go into troubleshooting mode, and lets say something stopped working at 10:32. I can find the date in the above screenshot and point at the dots and see the timestamps - look below:

NSX-T 4.0.0.1 - Whats new?

Wed, 17 Aug 2022 00:10:00 +0100

In NSX-T 4.0.0.1, VMware changed their naming scheme (again, would some say), to just be NSX. One of the biggest features, and long overdue is IPv6 support for management. There is also a new feature for Blocking Malicious IPs, which we will look at below.

Here are the Release Notes: https://docs.vmware.com/en/VMware-NSX/4.0/rn/vmware-nsx-4001-release-notes/index.html

Block Malicious IPs:

In the Release Notes the following is written:

Block Malicious IPs in Distributed Firewall is a new capability that allows the ability to block traffic to and from Malicious IPs.
Block Malicious IPs in Distributed Firewall is a new capability that allows the ability to block traffic to and from Malicious IPs. This is achieved by ingesting a feed of Malicious IPs provided by Vmware Contexa. This feed is automatically updated multiple times a day so that the environment is protected with the latest malicious IPs. For existing environments the feature will need to be turned on explicitly. For new environments, the feature will be default enabled

My LAB enviorment is a existing installation, so it will need to be turned off explicitly as the release notes says. Luckily thats quite easy in NSX-T.

We also know its a part of VMware Contexa, that is VMwares take on a cloud security platform. I actually didnt know about Contexa before this update, it looks cool. We might see more of Contexa in later NSX-Releases, maybe within NSX-Intelligence where more of the Contexa looks to be already.

Lets setup auto update:

As you can see below, you will right away after upgrading the NSX-T Manager to 4.x the warnings telling you: Auto Update Malicious IPs is turned off. All rules containing groups with malicious IPs might not work at all or work with outdated data if available.

High latency for VMs in NSX-T (VLAN)

Mon, 15 Aug 2022 00:02:00 +0100

NSX-T Version: 4.0.0.1.0.20159689

I was experiencing a high latency in NSX-T for all my VMs, and i couldnt figure out why. VMs on the same host, that wasnt on a NSX-T segment had +90ms in latency. I was pinging from a VM on VLAN 10 to a VM thats part of my NSX environment on VLAN 20. Both VMs was on the same host, and I dont have any NSX-T Overlay routing, so it was kinda weird.

Let me first show you how the latency was fluctuating:

As you can see above the latency was in the low end at 8ms and to the very high end of 150+ ms per ping. Thats not acceptable, and especially not when the VMs are on the same host, and there is only 1 router between the VLANs.