Service Insertion filter can not be created with non-English VM names
search cancel

Service Insertion filter can not be created with non-English VM names

book

Article ID: 313762

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Service Insertion filter can not be created when adding/removing VMs with non-English VM names to/from Security Group

Example:

Check with summarize-dvfilter command on the Host, no slot 4 seen on the VM added into the Security Group:

world 49148812 vmm0:????_96.12.139.1 vcUuid:'## ## ## ## ## ## ## ##-## ## ## ## ## ## ## ##'
port 67108933 ????_##.##.##.##.eth0
  vNic slot 2
  name: nic-49148812-eth0-vmware-sfw.2
agentName: vmware-sfw
   state: IOChain Attached
   vmState: Attached
   failurePolicy: failClosed
   slowPathID: 1
   filter source: Dynamic Filter Creation
  vNic slot 1
  name: nic-49148812-eth0-dvfilter-generic-vmware-swsec.1
agentName: dvfilter-generic-vmware-swsec
   state: IOChain Attached
   vmState: Detached
   failurePolicy: failClosed
   slowPathID: none
  filter source: Alternate Opaque Channel

Environment

NSX for vSphere 6.4.x

Cause

The non-English VM names are getting truncated from VM list and cause vsfwd not to create SI dvfilters for English or non-English VMs

Resolution

This issue is resolved in NSX for vSphere 6.4.7

Workaround:
Run /bin/vsip_vm_list.sh to check if non-English VMs exist on the host


Note 1: The actions below should be taken on all the hosts

1: Make a copy of the /bin/vsip_vm_list.sh
    cp /bin/vsip_vm_list.sh /bin/vsip_vm_list.sh.bak

2: Edit /bin/vsip_vm_list.sh
    chmod 777 /bin/vsip_vm_list.sh
   
     the original display name field looks like as below:
     =====================================
               if get_all:
                   print("%s:%s:%s" % (wid, vmInfo['vcUuid'], vmInfo['displayName']))
               else:
                   if vmInfo['vcUuid'] == vmuuid:
                      print("%s:%s:%s" % (wid, vmInfo['vcUuid'], vmInfo['displayName']))
    ========================================

     Replace vmInfo['displayName'] with dummy value unk:
   ====================================
               if get_all:
                   print("%s:%s:%s" % (wid, vmInfo['vcUuid'], "unk"))
               else:
                   if vmInfo['vcUuid'] == vmuuid:
                      print("%s:%s:%s" % (wid, vmInfo['vcUuid'], "unk"))
    ========================================
   chmod 555 /bin/vsip_vm_list.sh

3: restart vsfwd
   /etc/init.d/vShield-Stateful-Firewall restart

4: Now try adding/removing VMs from Security Group, the SI Filters should be updated correctly


Note 2: The vsip_vm_list.sh will be over-written after ESXi host reboot.

Please refer to and place the script vsip_unk.sh and vsip_vm_list.sh.unk  to /vmfs/volumes/datastore/:

1: Put the modified vsip_vm_list.sh.unk (replaced the vmInfo['displayName'] with unk ) into the /vmfs/volumes/datastore/

2: touch vsip_unk.sh in /vmfs/volumes/datastore/
   chmod +x vsip_unk.sh

3: edit vsip_unk.sh
#!/bin/sh
if [ ! -f "/bin/vsip_vm_list.sh.bak" ]; then
cp /bin/vsip_vm_list.sh /bin/vsip_vm_list.sh.bak
rm /bin/vsip_vm_list.sh
cp /vmfs/volumes/datastore/vsip_vm_list.sh.unk /bin/vsip_vm_list.sh
else
rm /bin/vsip_vm_list.sh
cp /vmfs/volumes/datastore/vsip_vm_list.sh.unk  /bin/vsip_vm_list.sh
fi
/etc/init.d/vShield-Stateful-Firewall restart

4: edit local.sh to exec this vsip_unk.sh script during the esxi reboot
vi /etc/rc.local.d/local.sh
/vmfs/volumes/datastore/vsip_unk.sh
exit 0

Additional Information

Impact/Risks:

VMs are out of protection

Powered by Wolken Software