Symptoms:

Critical error in NSX-T

Description:

The DFW vMotion for DFW filter nic-yyyyy-eth0-vmware-sfw.2 on destination host xy-xy-vv-dd-hh-00.yyy has failed and the port for the entity has been disconnected.

VMware NSX-T Data Center

• This is known behaviour and is expected to be seen here because of vmotion from NSX-V to NSX-T.
• When migrating the filter with version 5 to NSXT ,the filter version(5) is not supported by NSXT, so this alarm is raised.
• NSX-V uses version 5 filter whereas NSX-T uses version 1000.

VMKernel.log will show:

2023-06-29T04:47:28.419Z cpu)Importing nic-yyyyyy-eth0-vmware-sfw.2, Version 5

2023-06-29T04:47:28.419Z cpu)unsupported version: 5

2023-06-29T04:47:28.419Z cpu)Sending message to cfgAgent to raising alarm for filter import failure

Recommended Action (as given in alarm)

Check VMs on the host in NSX Manager, manually repush the DFW configuration through NSX Manager UI. The DFW policy to be repushed can be traced by the DFW filter nic-yyyyyy-eth0-vmware-sfw.2. Also consider finding the VM to which the DFW filter is attached and restart it.

Workaround:

Avoid alarms by following instructions here: Configure Export Version of Distributed Firewall Filter on Hosts

Reference link

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/migration/GUID-993AB7A8-C560-43C0-B7B0-B5A58EC6884D.html#GUID-993AB7A8-C560-43C0-B7B0-B5A58EC6884D