This advisory addresses an issue where the VMware/NSX infrastructure silently drops VXLAN packets inside guest VMs, specifically impacting RKE2 with Canal CNI deployed across different L3 subnets. The root cause is the hypervisor layer performing deep packet inspection (DPI) on UDP port 8472 and discarding any packets with a valid VXLAN header, while allowing other types of traffic such as regular UDP, ICMP, or large MTU pings to pass through unaffected. This issue disrupts pod-to-pod communication across different availability zones (AZs), leading to intermittent failures in network connectivity for containers managed by RKE2. The vulnerability highlights the need for careful configuration and monitoring of networking layers when deploying Kubernetes clusters in environments with advanced virtualization and security features like those provided by VMware/NSX.
- RKE2 with Canal CNI
- VMware/NSX
- Change the VXLAN backend port used by Flannel from 8472 to a non-standard port, such as 4790, by modifying the configuration file `/etc/flanneld/flanneld.conf` and setting `--vxlan-port=4790`.
- Upgrade or reconfigure NSX to disable DPI on VXLAN packets if possible, ensuring that it does not interfere with legitimate traffic. Consult VMware documentation for specific instructions.
- Consider switching from Flannel's VXLAN backend to WireGuard or another CNI plugin that uses a different encapsulation method to avoid the issue.
This vulnerability impacts homelab stacks using RKE2 and Canal CNI, particularly in setups involving multiple AZs across different L3 subnets. The configuration files affected include `/etc/flanneld/flanneld.conf` for Flannel settings and any NSX configurations that might need adjustments.