DFW rules with "Applied To" set to a "Security Group" are not published to hosts
search cancel

DFW rules with "Applied To" set to a "Security Group" are not published to hosts

book

Article ID: 301220

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
DFW rules with the "Applied To" field set to Security Group are not pushed to ESXi hosts in some vSphere clusters.

Environment

VMware NSX for vSphere 6.2.x

Cause

The NSX Manager must determine which vSphere clusters the DFW rules are applied to. It performs this calculation based on the inventory updates from vCenter and the entity specified in the "Applied To" field.
When the "Applied To" field is a Security Group, the span is globalroot-0 which includes all the clusters. For performance optimization, the NSX Manager caches this information.
 
Due to a change introduced in NSX for vSphere 6.2.3, if a new cluster is added to the environment, the NSX managers cache is not updated to include the new cluster.
 
Because of this rules which have an "Applied To" field of Security Group are not pushed to all vSphere clusters for the following scenarios:
  • DFW rule modification
  • New DFW rule creation
  • DFW section modification

Resolution

The cache issue is resolved in VMware NSX for vSphere 6.2.5 and later releases, available at VMware Downloads.

Upgrading to NSX 6.2.5 and later releases only fix the cache issue for new or modified DFW section/rules. The workaround needs to be applied to fix impacted DFW section/rules from previous release. To identify impacted DFW section/rules please contact VMware support. To contact VMware support, see Filing a Support Request in Customer Connect (2006985) or How to Submit a Support Request.

To fix the rules / sections affected by this issue, the following steps are required:
  • Clear the cluster cache by restarting the NSX Manager service.
  • Update all DFW sections (click edit, don't make any change, click save then publish) to force the recalculation of the cluster list for all rules in the DFW section which have an "Applied To" field of Security Group using the new cache which include all vSphere clusters in the environment.
Note: New vSphere clusters that are subsequently added will experience the same issue until this workaround is applied or upgrade to VMware NSX for vSphere 6.2.5 or later releases.


Additional Information

「適用先」が「セキュリティ グループ」に設定されている DFW ルールがホストに発行されない
“应用于”设置为“安全组”的 DFW 规则未发布到主机