VMware NSX-T new rule ID not incrementing correctly and revision number higher than 0
search cancel

VMware NSX-T new rule ID not incrementing correctly and revision number higher than 0

book

Article ID: 312611

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Each NSX manager allocates a rule ID from a batch within the associated rule ID range. A lower ID can be witnessed when an NSX manager is allocating rule ids from another batch.
    eg: If one NSX Manager can be allocating from range 5000-5999 and another NSX manager can be allocating from batch 1000-1999. When a batch is fully allocated the NSX manager will go to the next free batch with available rule IDs. This could be the 2000-2999 batch or the 6000-6999 batch.
  • Global Manager (GM), Local Manager (LM) and Management Plane/Proton (MP) use exclusive ranges when assigning rule IDs. These ranges do not overlap. The LM using range 1000-999999 and MP/Proton uses 536870912-1073741823.
  • The rule ID range is shared between the distributed firewall and the gateway firewall. Therefore there should be no duplicate rule IDs between these firewalls. If a duplicated rule ID is observed, confirm the rule UUID is different, as the rule UUID is the NSX source of truth.
  • It is OK the see a non-zero revision number for newly created rules. The rule revision number references the entire section/policy. All rules within the same section/policy have the same revision number.
    eg: If a new rule is created in a new section/policy all the revision numbers will be 0. If a rule is added to an existing section/policy which is on revision 10, the new rule and all existing rules within that section/policy will be on revision 10. If the section/policy or a rule within the section/policy is changed, that section/policy and all its associated rules will be updated to the next revision number.



Symptoms:

  • When creating a new Distributed or Gateway firewall rule, a lower rule ID is observed compared to the most recent firewall rule.
  • Checking the revision of a newly created rule shows multiple revisions. This can be done using the REST API https://<NSX-Manager-IP or FQDN>/api/v1/firewall/sections/<Section ID>/rules/<Rule ID>

eg:
https://192.168.120.10/api/v1/firewall/sections/########-####-####-####-##########30/rules/776578635

...

    "section_id": "########-####-####-####-##########30",

    "resource_type": "FirewallRule",

    "id": "776578635",

...

    "_revision": 58

 

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment.

 

Environment

VMware NSX-T Data Center

Resolution

This is not a bug and operating as expected

Powered by Wolken Software