NSX DFW exclusion list freezing when adding or removing a virtual machine
search cancel

NSX DFW exclusion list freezing when adding or removing a virtual machine

book

Article ID: 303250

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

When trying to add or remove a virtual machine (VM) from the Distributed Firewall (DFW) Exclusion List using the vSphere Web Client, the Exclusion List view freezes, it is not possible to interact with the user interface (UI) anymore and the part around the exclusion List view itself is greyed out, forcing to reload the vSphere Web Client.

Cause

This issue occurs when there is a VM with an empty scope is present in the DFW Exclusion List (this can sometimes occur with template or shell VMs).
 
On the above screen capture notice the empty scope for the virtual machine UPSA11.

Resolution

This issue is resolved in VMware NSX Data Center for vSphere 6.4.7

Workaround

To be able to interact normally with the DFW exclusion list using the vSphere Web Client again, it is necessary to identify and remove the VM with an empty scope present in the DFW Exclusion List by using the REST API.

  1. Use the following API call to query the complete DFW exclusion list configuration and identify the VMs without a "scope" section:
    GET https://{nsx-manager-ip}/api/2.1/app/excludelist

        Valid virtual machine:


    <member>
                    <objectId>vm-28</objectId>
                    <objectTypeName>VirtualMachine</objectTypeName>
                    <vsmUuid>422B734B-6FC9-####-####-############</vsmUuid>
                    <nodeId>37645b9f-9ebe-####-####-############</nodeId>
                    <revision>11</revision>
                    <type>
                        <typeName>VirtualMachine</typeName>
                    </type>
                    <name>HQ-VCSA-01a</name>
                    <scope>
                        <id>resgroup-v83</id>
                        <objectTypeName>VirtualApp</objectTypeName>
                        <name>MGMT</name>
                    </scope>
                    <clientHandle></clientHandle>
                    <extendedAttributes/>
                    <isUniversal>false</isUniversal>
                    <universalRevision>0</universalRevision>
                    <isTemporal>false</isTemporal>
    </member>

        Virtual machine with an empty scope:


    <member>
                    <objectId>vm-141</objectId>
                    <objectTypeName>VirtualMachine</objectTypeName>
                    <vsmUuid>422B734B-6FC9-####-####-############</vsmUuid>
                    <nodeId>37645b9f-9ebe-####-####-############</nodeId>
                    <revision>20</revision>
                    <type>
                        <typeName>VirtualMachine</typeName>
                    </type>
                    <name>UPSA11</name>
                    <clientHandle></clientHandle>
                    <extendedAttributes/>
                    <isUniversal>false</isUniversal>
                    <universalRevision>0</universalRevision>
                    <isTemporal>false</isTemporal>
    </member>
  2. Remove the objects with no scope from the exclusion list with the following REST API call (the member ID is obtained from the GET output above):

    DELETE   https://{nsx-manager-ip}/api/2.1/app/excludelist/{memberID}
  3. Once done, run a force sync for the firewall of the NSX prepared cluster, refresh the browser or log out/log back into vCenter.
  4. It should now be possible to access and modify the Exclusion List again.