Import of DFW rules from NSX-V to NSX-T fails with 400 error
search cancel

Import of DFW rules from NSX-V to NSX-T fails with 400 error

book

Article ID: 306796

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

  • Migrating Distributed Firewall from NSX-V  to NSX-T. During Migration, the following error occurs. 
    • Config migration failed [Reason: HTTP Error: 400: As path=[/infra/services/ICMP-ALL] is default service, it cannot be updated. for url: http://localhost:6440/policy/api/v1/infra/services/ICMP-ALL]

/var/log/syslog:

2021-04-26T02:32:40.903426+00:00 NAPNSXT2 - - - - [NSX] [nsx@6876 comp="nsx-manager" subcomp="config-migrator"] 9379 DEBUG PATCH REQUEST: /infra/services/ICMP-ALL
2021-04-26T02:32:40.903521+00:00 NAPNSXT2 - - - - [NSX] [nsx@6876 comp="nsx-manager" subcomp="config-migrator"] 9379 DEBUG API tracker: REQUEST method=PATCH, url=http://localhost:6440/policy/api/v1/infra/servic
es/ICMP-ALL, non-session-headers=None, params=None, data={"id": "ICMP-ALL", "display_name": "ICMP-ALL", "description": "", "service_entries": [{"description": "", "display_name": "ICMP-ALL", "id": "ICMP-ALL", "
protocol": "ICMPv4", "resource_type": "ICMPTypeServiceEntry"}], "tags": [{"scope": "v_origin", "tag": "Application-application-527"}]}
2021-04-26T02:32:40.907Z NAPNSXT2 NSX 27044 POLICY [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="policy"] Couldn't find any value for key/s - [NSX_ENABLE_PARTIAL_PATCH].
2021-04-26T02:32:40.908Z NAPNSXT2 NSX 26843 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Starting to find all rules that uses this NSServiceGroup identifier - NSServiceGroup/f0f69261-0e
d2-4ed8-a080-970e3#####
2021-04-26T02:32:40.909Z NAPNSXT2 NSX 26843 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Found 0 unique rule messages that depend on NSServiceGroup/f0f69261-0ed2-4ed8-a080-970#####
2021-04-26T02:32:40.909Z NAPNSXT2 NSX 26843 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Found 0 unique section messages for 0 rules that depend on NSServiceGroup/f0f69261-0ed2-####-#####
0-970e34#####
2021-04-26T02:32:40.909Z NAPNSXT2 NSX 26843 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] NSServiceGroup StateSync Update - Completed conversion of FirewallRules to add/update protobuf o
n receiving NSServiceGroup NSServiceGroup/f0f69261-0ed2-4ed8-a080-970###### statesync UPDATE
2021-04-26T02:32:40.909Z NAPNSXT2 NSX 26843 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] DFW_TIMER PROTO DELSYNC : Time taken to convert to Protobuf (#messages 0) for NSServiceGroup NSS
erviceGroup/f0f69261-0ed2-4ed8-a080-97###### is 1 ms
2021-04-26T02:32:40.915Z NAPNSXT2 NSX 27044 POLICY [nsx@6876 comp="nsx-manager" errorCode="MP500175" level="ERROR" reqId="2d6677b1-4b9d-4319-a37c-d0155######" subcomp="policy" username="admin"] Can't update de
fault existingService /infra/services/ICMP-ALL.
2021-04-26T02:32:40.934302+00:00 NAPNSXT2 - - - - [NSX] [nsx@6876 comp="nsx-manager" subcomp="config-migrator"] 9379 ERROR Failed to PATCH http://localhost:6440/policy/api/v1/infra/services/ICMP-ALL with status
: 400 and reason: {#012  "httpStatus" : "BAD_REQUEST",#012  "error_code" : 500175,#012  "module_name" : "Policy",#012  "error_message" : "As path=[/infra/services/ICMP-ALL] is default service, it cannot be upda
ted."#012}
2021-04-26T02:32:40.934537+00:00 NAPNSXT2 - - - - [NSX] [nsx@6876 comp="nsx-manager" subcomp="config-migrator"] 9379 ERROR HTTP Error: 400: As path=[/infra/services/ICMP-ALL] is default service, it cannot be updated. for url: http://localhost:6440/policy/api/v1/infra/services/ICMP-ALL
2021-04-26T02:32:40.934582+00:00 NAPNSXT2 - - - - [NSX] [nsx@6876 comp="nsx-manager" subcomp="config-migrator"] 9379 INFO Apply is configured to stop on first error
2021-04-26T02:32:40.934717+00:00 NAPNSXT2 - - - - [NSX] [nsx@6876 comp="nsx-manager" subcomp="config-migrator"] 9379 INFO Waiting 30 sec for realization..

/var/log/syslog:

2021-04-26T04:18:23.836247+00:00 NAPNSXT1 - - - - [NSX] [nsx@6876 comp="nsx-manager" subcomp="config-migrator"] 19363 DEBUG PATCH REQUEST: /infra/services/ICMP-ALL
2021-04-26T04:18:23.836398+00:00 NAPNSXT1 - - - - [NSX] [nsx@6876 comp="nsx-manager" subcomp="config-migrator"] 19363 DEBUG API tracker: REQUEST method=PATCH, url=http://localhost:6440/policy/api/v1/infra/services/ICMP-ALL, non-session-headers=None, params=None, data={"id": "ICMP-ALL", "display_name": "ICMP-ALL", "description": "", "service_entries": [{"description": "", "display_name": "ICMP-ALL", "id": "ICMP-ALL", "protocol": "ICMPv4", "resource_type": "ICMPTypeServiceEntry"}], "tags": [{"scope": "v_origin", "tag": "Application-application-527"}]}
2021-04-26T04:18:23.841Z NAPNSXT1 NSX 6569 POLICY [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="policy"] Couldn't find any value for key/s - [NSX_ENABLE_PARTIAL_PATCH].
2021-04-26T04:18:23.847Z NAPNSXT1 NSX 6569 POLICY [nsx@6876 comp="nsx-manager" errorCode="MP500175" level="ERROR" reqId="ab5c8cff-fb38-4478-9c99-39a7#####" subcomp="policy" username="admin"] Can't update default existingService /infra/services/ICMP-ALL.
2021-04-26T04:18:23.917Z NAPNSXT1 NSX 6310 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Starting to find all rules that uses this NSServiceGroup identifier - NSServiceGroup/841c57f2-0b87-453e-9db7-6461#####
2021-04-26T04:18:23.917Z NAPNSXT1 NSX 6310 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Found 0 unique rule messages that depend on NSServiceGroup/841c57f2-0b87-453e-9db7-646######
2021-04-26T04:18:23.917Z NAPNSXT1 NSX 6310 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Found 0 unique section messages for 0 rules that depend on NSServiceGroup/841c57f2-0b87-453e-9db7-646######
2021-04-26T04:18:23.917Z NAPNSXT1 NSX 6310 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] NSServiceGroup StateSync Update - Completed conversion of FirewallRules to add/update protobuf on receiving NSServiceGroup NSServiceGroup/841c57f2-0b87-453e-9db7-64####### statesync UPDATE
2021-04-26T04:18:23.917Z NAPNSXT1 NSX 6310 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] DFW_TIMER PROTO DELSYNC : Time taken to convert to Protobuf (#messages 0) for NSServiceGroup NSServiceGroup/841c57f2-0b87-453e-9db7-64####### is 0 ms
2021-04-26T04:18:24.009551+00:00 NAPNSXT1 - - - - [NSX] [nsx@6876 comp="nsx-manager" subcomp="config-migrator"] 19363 ERROR Failed to PATCH http://localhost:6440/policy/api/v1/infra/services/ICMP-ALL with status: 400 and reason: {#012  "httpStatus" : "BAD_REQUEST",#012  "error_code" : 500175,#012  "module_name" : "Policy",#012  "error_message" : "As path=[/infra/services/ICMP-ALL] is default service, it cannot be updated."#012}
2021-04-26T04:18:24.009741+00:00 NAPNSXT1 - - - - [NSX] [nsx@6876 comp="nsx-manager" subcomp="config-migrator"] 19363 ERROR HTTP Error: 400: As path=[/infra/services/ICMP-ALL] is default service, it cannot be updated. for url: http://localhost:6440/policy/api/v1/infra/services/ICMP-ALL
2021-04-26T04:18:24.009810+00:00 NAPNSXT1 - - - - [NSX] [nsx@6876 comp="nsx-manager" subcomp="config-migrator"] 19363 INFO Apply is configured to stop on first error
2021-04-26T04:18:24.009951+00:00 NAPNSXT1 - - - - [NSX] [nsx@6876 comp="nsx-manager" subcomp="config-migrator"] 19363 INFO Waiting 30 sec for realization..
2021-04-26T04:18:24.015Z NAPNSXT1 NSX 6310 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Starting to find all rules that uses this NSServiceGroup identifier - NSServiceGroup/0684######
 

Environment

VMware NSX-T Data Center 3.x
VMware NSX-T Data Center
VMware NSX-T

Cause

There is no ICMP-ALL "default" service on NSX-V.  User defined service.  However, NSXT already has it as a default service.  The service 'ICMP-ALL' on NSX-T is actually a service group containing 2 entries.  Because of this, the plugin considers this NSX-T service as a group and hence it does not process it for duplicate names in this case.
So, we create the API but however the creation of this service fails as per this update, which says that we cannot modify default service on NSX-T.  The migration for this rule fails

Scenario is : if a user defined service on NSX-V exists as a default service on NSX-T with at least 2 service entries, then ns_service plugin does not update the name of this service. hence the API gets created with same service name. This service migration will fail as we cannot update the default service on NSX-T.

Resolution

This will be fixed in a later release of NSX-T.

Workaround:
1.On NSX-v side update the name of service ICMP-ALL to “ICMP-ALL-1”
2. NSXT – Rollback migration using API or UI
3. Start Migration again

Powered by Wolken Software