Creating a new distributed firewall rule as it fails with error "object already present"
Article ID: 312598
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
- Attempting to create a new distributed firewall rule fails with the below error:
{
"httpStatus" : "BAD_REQUEST",
"error_code" : 601,
"module_name" : "common-services",
"error_message" : "The object FirewallRule/00000000-0000-0000-0000-000020006823 is already present in the system."
}
"httpStatus" : "BAD_REQUEST",
"error_code" : 601,
"module_name" : "common-services",
"error_message" : "The object FirewallRule/00000000-0000-0000-0000-000020006823 is already present in the system."
}
- You may observe the below entries under /var/log/proton/data-migration.log:
2023-03-03T12:23:09.446Z INFO main FirewallUnmanagedRangeH2IMigrationTask 4201 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Found 1 UnmanagedFirewallRuleIdRange entity(s)
...
2023-03-03T12:23:09.451Z INFO main TableRegistry 4201 openTable: opening nsx$LiteRange with stream tags [[LR_Transaction_Stream, eb4a975c-####-####-####-b0b0f97b95a0]]
2023-03-03T12:23:09.451Z INFO main SMRObject 4201 ObjectBuilder: open Corfu stream nsx$LiteRange id 261179c9-####-####-####-98a0346cd510
...
2023-03-03T12:23:09.457Z INFO main CorfuStore 4201 openTable nsx$LiteRange took 6ms
2023-03-03T12:23:09.458Z INFO main FirewallUnmanagedRangeH2IMigrationTask 4201 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Migrating fc073125-####-####-####-295e5b12b125 range
2023-03-03T12:23:09.458Z INFO main FirewallUnmanagedRangeH2IMigrationTask 4201 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Skipped migration for range fc073125-####-####-####-295e5b12b125
...
2023-03-03T12:23:09.464Z INFO main BaseIdentifiableObjectDao 4201 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="corfudb"] Cleared table nsx-manager UnmanagedFirewallRuleIdRange c22f
...
...
2023-03-03T12:23:09.451Z INFO main TableRegistry 4201 openTable: opening nsx$LiteRange with stream tags [[LR_Transaction_Stream, eb4a975c-####-####-####-b0b0f97b95a0]]
2023-03-03T12:23:09.451Z INFO main SMRObject 4201 ObjectBuilder: open Corfu stream nsx$LiteRange id 261179c9-####-####-####-98a0346cd510
...
2023-03-03T12:23:09.457Z INFO main CorfuStore 4201 openTable nsx$LiteRange took 6ms
2023-03-03T12:23:09.458Z INFO main FirewallUnmanagedRangeH2IMigrationTask 4201 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Migrating fc073125-####-####-####-295e5b12b125 range
2023-03-03T12:23:09.458Z INFO main FirewallUnmanagedRangeH2IMigrationTask 4201 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Skipped migration for range fc073125-####-####-####-295e5b12b125
...
2023-03-03T12:23:09.464Z INFO main BaseIdentifiableObjectDao 4201 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="corfudb"] Cleared table nsx-manager UnmanagedFirewallRuleIdRange c22f
...
Environment
VMware NSX-T Data Center
Cause
This issue occurs when the lastAllocatedId in the backend is not equal to the highest ID belonging to an existing rule in the environment.
This can happen if data migration was skipped during an upgrade.
If the logs have not been rotated, an entry containing FirewallUnmanagedRuleIdRangeId in /var/log/proton/data-migration.log should exist.
Resolution
This is a known issue. There is currently no resolution.
If you believe you have encountered this issue, please open a support case with Broadcom Support and refer to this KB article.
For more information, see Creating and managing Broadcom support cases.
Additional Information
Impact/Risks:
You will not be able to create new rules.
Feedback
Yes
No
Powered by
