NSX-T missing Firewall Sections and Rules
book
Article ID: 314289
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
- When you query DFW firewall, some sections and rules are not displayed.
- NSX Manager Syslog will display the following error:
<179>1 2019-08-23T12:17:54.560Z host NSX 23666 DISTRIBUTEDSERVICES [nsx@6876 comp="nsx-manager" errorCode="MP96321" subcomp="manager"] validateSectionExists: DS Section ########-####-####-####-########## not found
<182>1 2019-08-23T12:17:54.560Z host NSX 23666 - [nsx@6876 audit="true" comp="nsx-manager" subcomp="manager"] UserName:'admin' ModuleName:'common-services' Operation:'GET@/api/v1/firewall/sections/########-####-####-####-##########'Operation status: 'failure' Error: The requested object : ########-####-####-####-########## could not be found. Object identifiers are case sensitive.
- Running an API GET call against the manager will return in error 600
root@host:~# curl -k -H 'X-NSX-Username:admin' -H 'X-Nsx-Groups: superusers' -X GET http://localhost:7440/nsxapi/api/v1/firewall/sections/e61c7889-28e5-4d97-bfae-d08097dg67a3
{
"httpStatus" : "NOT_FOUND",
"error_code" : 600,
"module_name" : "common-services",
"error_message" : "The requested object : ########-####-####-####-##########a3 could not be found. Object identifiers are case sensitive."
}
Cause
This is due to the inconsistency between the MP nodes and Corfu.
To identify the issue, run the following steps:
- Get the Total number of firewall sections and rules across all MP nodes
- In the below logs, when we do a unique search for word count
- <179>1 2019-08-23T12:17:54.560Z host NSX 23666 DISTRIBUTEDSERVICES [nsx@6876 comp="nsx-manager" errorCode="MP96321" subcomp="manager"] validateSectionExists: DS Section ########-####-####-####-########## not found
<182>1 2019-08-23T12:17:54.560Z host NSX 23666 - [nsx@6876 audit="true" comp="nsx-manager" subcomp="manager"] UserName:'admin' ModuleName:'common-services' Operation:'GET@/api/v1/firewall/sections/########-####-####-####-##########'Operation status: 'failure' Error: The requested object : ########-####-####-####-########## could not be found. Object identifiers are case sensitive.
Doing a unique count we have 284 Firewall Sections reporting these errors
egrep "MP96321" nsx_manager_*/var/log/syslog | awk -F ' ' '{print $14}' | sort -n | uniq | wc -l
284
- When you query the nodes which are not hosting the manger VIP, these firewall details will show up via cli
- ~# curl -k -H 'X-NSX-Username:admin' -H 'X-Nsx-Groups: superusers' -X GET http://localhost:7440/nsxapi/api/v1/firewall/sections/########-####-####-####-##########
{
"locked" : false,
"comments" : "Default section unlock comment",
"lock_modified_by" : "admin",
"lock_modified_time" : 1565776171230,
"autoplumbed" : false,
"enforced_on" : "VIF",
"tcp_strict" : false,
"resource_type" : "FirewallSection",
"id" : "########-####-####-####-########## 3",
"display_name" : "########-####-####-####-##########",
"section_type" : "LAYER3",
"stateful" : true,
"rule_count" : 3,
"is_default" : false,
"_create_user" : "admin",
"_create_time" : 1565776171229,
"_last_modified_user" : "admin",
"_last_modified_time" : 1565776262895,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 3
- Firewall details will not show up for the node hosting the VIP
- # curl -k -H 'X-NSX-Username:admin' -H 'X-Nsx-Groups: superusers' -X GET http://localhost:7440/nsxapi/api/v1/firewall/sections/########-####-####-####-##########
{
"httpStatus" : "NOT_FOUND",
"error_code" : 600,
"module_name" : "common-services",
"error_message" : "The requested object : ########-####-####-####-########## could not be found. Object identifiers are case sensitive."
}
Resolution
This issue will be fixed in the future NSX-T release
Workaround:
Restart proton service on the manager hosting the VIP
nsxmgR> restart service manager
Feedback
thumb_up
Yes
thumb_down
No