With NSX identity-based firewall, deleting a domain user from an AD group does not synchronize immediately to a security group
search cancel

With NSX identity-based firewall, deleting a domain user from an AD group does not synchronize immediately to a security group

book

Article ID: 303270

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
When using the NSX identity-based firewall feature, you notice the following symptoms:
  • After a user logging to a VM is removed from within an Active Directory user group, the VM remains in the NSX security group for some time.
  • The user membership change is not immediately reflected in the NSX security group.


Environment

NSX for vSphere 6.1.5

Cause

This behavior is operating according to the current design.

Resolution

Issue is resolved in NSX for vSphere version 6.4.0
 
Membership events in an LDAP environment are not sent immediately to NSX Manager. Instead, a delta sync process runs every three hours. A full sync must be triggered manually. After a full sync completes, NSX Manager deletes user objects with a last modified time older than the full sync start time.
 
In addition, after eight hours, the user is "logged off" automatically, and the VM is moved out of the security group.