In NSX-V 6.4.11 and 6.4.12 there was introduced a bug to the Application Layer Gateway where it would cause package drop.
From the release notes of NSX-V 6.4.13, it states:
Fixed Issue 2886595: ALG-based services are not working in NSX Data Center for vSphere 6.4.11 and 6.4.12.:
Edge Firewall drops packets for ALG-based services FTP/SFTP/SNMP when using NSX Data Center for vSphere 6.4.11 and 6.4.12.
A temporary workaround is to disable ALG on the affected edge until the NSX-V installation can be upgraded to 6.4.13 or 6.4.14.
Procedure
- Connect to the NSX Manager as admin and enter enable mode by typing: enable
Enter engineering mode by typing: st en - Enter the NSX Manager root password: IAmOnThePhoneWithTechSupport
Get the password for the Edge by typing:
/home/secureall/secureall/sem/WEB-INF/classes/GetSpockEdgePassword.sh edge-ID
[root@nsxvmanager ~]# /home/secureall/secureall/sem/WEB-INF/classes/GetSpockEdgePassword.sh edge-1269
Edge root password:
edge-1269 -> u8ORKdfFIM$hZ
[root@nsxvmanager ~]#
- Access the Edge VM console, log in as the admin user and enter enable mode by typing: enable
- Enable engineering mode by typing: debug engineeringmode enable
- Enter the root shell on the Edge by typing the password obtained from the NSX manager: st en
- Run commands as followings to make the workaround reboot permanent and to disable the ALG in the kernel without a reboot.
echo “net.netfilter.nf_conntrack_helper = 1” >> /etc/sysctl.conf
sysctl net.netfilter.nf_conntrack_helper=1
Conclusion
Since the procedure above is done directly on the edge it will not survive an edge redeploy. This is because a redeploy will take its configuration from the NSX manager and not look at what is done directly on the edge itself.
Off cause, the correct solution would be to have the NSX manager upgraded to the latest version and afterward upgrade the edge version.
