In the drawing below the current architecture.
If a request arrives from the outside, passing through the firewall, and the firewall is starting to communicate to a VM connected to a NIC to BR1-UP bond of BR1 bridge, the ARP request for the resolution of the VM address stops at the bridge BR1 and do not reach the VM, in this case the firewall and VM ARP tables remain unpopulated and the communications stop.
On the other hand, if the communications depart from the VM to the Firewall (for example with a ping) the ARP request is processed by the firewall and the ARP tables of firewall and VM are correctly populated with the respective MAC ADDRs.
Firewall IP and VM IP are in the same broadcast domain, no routing.
I checked with Wireshark on the windows VM, with tcpdump and ovs-appctl fdb/show on the Nutanix host and when the communications start from the firewall the ARP request goes up to the physical card of the BR1 bridge (Eth0) but does not reach the Windows VM.
Has anyone happened? Can you give me some suggestions for indeep troubleshooting?
p.s.: layer 3 level works fine
Firewall Fortigate: FW Ver. 5.6.3
Switches Cisco Nexus 5K Series
Nutanix Node NX 8035G5
Best answer by UPX
We are still investigating why ARP request stops on the Nutanix bridge when the VPC is on.