Publishing NSX Distributed Firewall rule fails
search cancel

Publishing NSX Distributed Firewall rule fails

book

Article ID: 314286

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
  • Publishing NSX Distributed Firewall rule fails.
  • NSX Manager logs (vsm.log) display message(s) similar to:

2017-07-04 15:26:23.656 CEST ERROR messagingTaskExecutor-6 ResponseHandler:106 - Received error for RULESET message generation Number 1499174778989:
2017-07-04 15:26:23.657 CEST ERROR messagingTaskExecutor-1 ConfigurationPublisher:242 - Firewall provisioning failed on Host host-49573 for reason 16:. Host is at generation 1499174778989.
2017-07-04 15:26:23.657 CEST ERROR messagingTaskExecutor-4 ConfigurationPublisher:242 - Firewall provisioning failed on Host host-18908 for reason 16:. Host is at generation 1499174778989.
2017-07-04 15:26:23.658 CEST ERROR messagingTaskExecutor-1 ResponseHandler:106 - Received error for RULESET message generation Number 1499174778989:
2017-07-04 15:26:23.658 CEST INFO messagingTaskExecutor-7 ConfigurationPublisher:229 - Updating host host-18745 status for firewall, generation 1499174778989 ; StatusCode - 16, Status Message

  • ESXi host logs (vsfwd.log) display message(s) similar to:

2017-07-04T14:20:07Z vsfwd: [WARN] string2ip error 33: 10.129.4.0/24
2017-07-04T14:20:07Z vsfwd: [ERROR] prepare ruleset error 33: 10.129.4.0/24
2017-07-04T14:20:07Z vsfwd: [WARN] error 16: bad ruleset config data
2017-07-04T14:20:07Z vsfwd: [ERROR] Failed to load vsa config [174322]: parsing error
2017-07-04T14:20:07Z vsfwd: [WARN] failed to load ruleset: 1499177387734
2017-07-04T14:20:07Z vsfwd: [INFO] sending event: failed to parse ruleset 1499177387734
2017-07-04T14:20:07Z vsfwd: [INFO] Sending vsa reply of domain-c18748 host host-18745: 16

  • NSX Distributed Firewall rules are are displayed without any errors on the vSphere web client.
  • After an ESXi host is rebooted, the file /etc/vmware/vsfwd/vsipfw_ruleset.dat size is 0 bytes.



Cause

The issue occurs due to the string2ip conversion due to an unexpected char specified in the IP address such as a trailing white space at the end of the IP address.

Resolution

Remove the unexpected char that causes the string2ip conversion of the IP address.
To identify the unexpected char that cause the issue, you can export the firewall configuration as XML via the vSphere Web client and search for the IP seen in the string2ip error.