Not able to apply DFW rules on a few VMs that are a part of the "SECURITY ONLY" TN cluster
Article ID: 317150
Updated On:
Products
VMware NSX
Issue/Introduction
To unblock the customer if a situation as the above may arise.
Symptoms:
DFW rules not working for the VMs in question.
Symptoms:
DFW rules not working for the VMs in question.
Relevant Log Location
Use the below on the Esx host where the problematic VM is located and check if any filter is applied to the port in question and what is the corresponding LSP id:
summarize-dvfilter | grep -i <vmname> -A10Followed by:
vsipioctl getrules -f nic-########-eth0-vmware-sfw.2WHERE the nic id is pulled from the output of the first command on the line following "vNic slot 2"
Environment
VMware NSX-T Data Center
Cause
After TN install is complete and the logical port id (LSP id ) for a VIF is updated by NSX manager.
Due to port not being ready the opsagent is not able to apply the config and reports an error for the operation "operation failed, error code [bad0003]"
Due to the above incomplete extraconfig on the VIF, DFW rules/filters are not added.
Due to port not being ready the opsagent is not able to apply the config and reports an error for the operation "operation failed, error code [bad0003]"
Due to the above incomplete extraconfig on the VIF, DFW rules/filters are not added.
Resolution
Currently there is no resolution.
Workaround:
Open an SR with VMware Support.
Workaround:
Open an SR with VMware Support.
Trouble shooting example:
summarize-dvfilter | grep -i <port> -A10world ######### vmm0:abc vcUuid:'## ## ## ## ## ## ## ##-## ## ## ## ## ## ## ##' port ######## abc.eth0 vNic slot 2 name: nic-#########-eth0-vmware-sfw.2 agentName: vmware-sfw state: IOChain Attached vmState: Detached >>>>>>>>>>>>>>>>>>> Detached failurePolicy: failClosed serviceVMID: none filter source: Dynamic Filter Creation moduleName: nsxt-vsip-20115690vsipioctl getrules -f nic-########-eth0-vmware-sfw.2~Filter Name : nic-########-eth0-vmware-sfw.2VM UUID : ## ## ## ## ## ## ## ##-## ## ## ## ## ## ## ##VNIC Index : 0VNIC UUID : ########-####-####-####-############.000LSP ID : 4361<<<<<<<<<<<<<<<<<<<<<<<<<<< LSP ID not the NSX pushed instead a Normal DVGP based id.Service Profile : --NOT SET--Filter Rule Config : none<<<<<<<<<<<<<<<<<<No rules addedFilter Hash : 63522No rules.>>>>>>>>>>>>>>>>>>> # From NSX manager desired state manager file capture what is NSX based LSP id pushed for the port in question : "display_name": "abc.vmx@##########", "id": "########-####-####-####-################", # validate the host logs for the logical port id: ########-####-####-####-################ update from NSX to Host and if we encounter failure setting the extraConfig properties correctly as below : Nsx-syslogs on Esx host : 2022-xx-xxTxx:xx:xx:xxxZ nsx-opsagent[##########]: NSX ##########- [nsx@#### comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="##########" level="INFO"] [PortOp] Adding [com.vmware.port.extraConfig.logicalPort.id] value [########-####-####-####-############]2022-xx-xxTxx:xx:xx.xxxZ nsx-opsagent[144903633]: NSX ##########- [nsx@####comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="##########" level="ERROR" errorCode="MPA44205"] [PortOp] Port set for extraConfig property [com.vmware.port.extraConfig.logicalPort.id] operation failed, error code [bad0003]Additional Information
Impact/Risks:
No DFW security posture on the impacted VMs
No DFW security posture on the impacted VMs
Attachments
Feedback
Yes
No
Powered by
