Distributed Firewall fails to publish due to invalid rule tag
search cancel

Distributed Firewall fails to publish due to invalid rule tag


Article ID: 311851


Updated On:


VMware NSX Networking


  • Distributed Firewall fails to publish.
  • vShield-Stateful-Firewall logs on ESXi host (/var/run/log/vsfwd.log) contains errors similar to:
vsfwd: [ERROR] convert rule error 3: rule tag is too long: 39
In the above log excerpt, 39 is an example.
  • In the Distributed Firewall UI, no rule tag seems to exceed the character count limit (30). However, some rule tag contain special characters.
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


VMware NSX Data Center for vSphere 6.4.x


The length enforced in the UI for a DFW rule tag is set to 30 characters. The content of the field is automatically truncated when exceeding the constraint.
However, on the ESXi host, the validation of the rule tag is based on 30 bytes.
If the rule tag contains characters that are encoded on 2 bytes or more, it is then possible that the rule tag is valid in the UI but rejected on the ESXi host.
List of characters that are encoded on 1 byte only: https://www.fileformat.info/info/unicode/block/basic_latin/list.htm


Currently, there is no resolution.

You can remove the condition by ensuring that DFW rule tags only contain single-byte characters and/or that the overall byte count does not exceed 30 bytes.