Stateful Edge firewall does not work between Tier-0 uplinks.

Problem

A loopback or hairpin is created when a Tier-0 router has multiple uplinks, and traffic ingresses on one of the uplinks and egresses on another uplink. When this occurs, firewall rules and NAT are only processed while the packet ingresses on the original uplink. This causes the reply returning on the second uplink to not match the original session, and the packet may be dropped.

Cause

Services are processed once during the hairpinning process, and not on both interfaces. This causes the reply to be considered another flow, rather than part of the original flow, because the direction of the packet for both the initial and the reply is IN.

Solution

  1. If no destination NAT rules are present on the SR, add one. A destination NAT rule will cause the reply be tried to be matched against the original session, rather than being treated as a new session, and the packet will not be dropped. See Configure Source and Destination NAT on a Tier-0 Router in the NSX-T Data Center Administration Guide.