Security Policy fails to publish with java.lang.NullPointerException
search cancel

Security Policy fails to publish with java.lang.NullPointerException

book

Article ID: 303352

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
  • A Security Policy fails to publish with java.lang.NullPointerException
  • In the affected Security Policy, a rule contains a Raw Port-Protocols object (Raw Port-Protocols from UI or L4PortSetServiceEntry from API) Service Entry based on TCP or UDP with no destination port specified.
"service_entries": [
  {
    "l4_protocol": "TCP",
    "resource_type": "L4PortSetServiceEntry",
  }
]
  • Policy logs contain messages similar to (get log-file policy.log):
2020-01-01T01:01:01.000Z  WARN providerTaskExecutor-62 FirewallProviderNSXT - POLICY [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="policy"] Error occurred while realizing section /infra/domains/default/security-policies/aaaaaaaa-bbbb-cccc-1111-000000000000
java.lang.NullPointerException: null
        at java.util.Objects.requireNonNull(Objects.java:203) ~[?:1.8.0_241]
        at java.util.Arrays$ArrayList.<init>(Arrays.java:3813) ~[?:1.8.0_241]
        at java.util.Arrays.asList(Arrays.java:3800) ~[?:1.8.0_241]
        at com.vmware.nsx.management.policy.providers.NSServiceProviderUtils.generateNSServiceElement(NSServiceProviderUtils.java:87) ~[policy-framework-api-1.0.jar:?]

2020-01-01T01:01:01.000Z ERROR providerTaskExecutor-62 PolicyProviderUtil - POLICY [nsx@6876 comp="nsx-manager" errorCode="MP500015" level="ERROR" subcomp="policy"] Unexpected exception received during provider invocation.
java.lang.NullPointerException: null
        at java.util.Objects.requireNonNull(Objects.java:203) ~[?:1.8.0_241]
        at java.util.Arrays$ArrayList.<init>(Arrays.java:3813) ~[?:1.8.0_241]
        at java.util.Arrays.asList(Arrays.java:3800) ~[?:1.8.0_241]
        at com.vmware.nsx.management.policy.providers.NSServiceProviderUtils.generateNSServiceElement(NSServiceProviderUtils.java:87) ~[policy-framework-api-1.0.jar:?]
 
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware NSX-T Data Center

Resolution

This has been resolved in NSX-T 3.0.2 and newer.

Workaround:
As a temporary workaround, it is possible to create a Service beforehand, with no destination port, then use this service instead of a Raw Port-Protocols object (Raw Port-Protocols from UI or L4PortSetServiceEntry from API).
  1. From Policy UI, under Inventory > Services, click on Add Service.
  2. Enter a name, i.e. "TCP-Any" 
  3. Click on Set Services Entries
  4. Click on Add Service Entry
  5. Enter a name, i.e. "TCP-Any"
  6. Select the Service Type: TCP
  7. Leave source and destinations ports empty
  8. From Policy UI, under Security > Distributed Firewall, create or edit a rule to use the Service "TCP-Any" instead of the former "Raw Port-Protocols" object
  9. Click on Publish
The above example uses TCP, but the same procedure applies for UDP.


Additional Information

Impact/Risks:
When this issue is met, the Distributed Firewall section will fail to publish until the condition is resolved.

Powered by Wolken Software