Distributed Firewall fails to publish due to invalid rule tag
Article ID: 311851
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- Distributed Firewall fails to publish.
- vShield-Stateful-Firewall logs on ESXi host (/var/run/log/vsfwd.log) contains errors similar to:
vsfwd: [ERROR] convert rule error 3: rule tag is too long: 39
In the above log excerpt, 39 is an example.
- In the Distributed Firewall UI, no rule tag seems to exceed the character count limit (30). However, some rule tag contain special characters.
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware NSX Data Center for vSphere 6.4.x
Cause
The length enforced in the UI for a DFW rule tag is set to 30 characters. The content of the field is automatically truncated when exceeding the constraint.
However, on the ESXi host, the validation of the rule tag is based on 30 bytes.
If the rule tag contains characters that are encoded on 2 bytes or more, it is then possible that the rule tag is valid in the UI but rejected on the ESXi host.
List of characters that are encoded on 1 byte only: https://www.fileformat.info/info/unicode/block/basic_latin/list.htm
However, on the ESXi host, the validation of the rule tag is based on 30 bytes.
If the rule tag contains characters that are encoded on 2 bytes or more, it is then possible that the rule tag is valid in the UI but rejected on the ESXi host.
List of characters that are encoded on 1 byte only: https://www.fileformat.info/info/unicode/block/basic_latin/list.htm
Resolution
Currently, there is no resolution.
Workaround:
You can remove the condition by ensuring that DFW rule tags only contain single-byte characters and/or that the overall byte count does not exceed 30 bytes.
Workaround:
You can remove the condition by ensuring that DFW rule tags only contain single-byte characters and/or that the overall byte count does not exceed 30 bytes.
Feedback
Yes
No
Powered by
