Alarm for Group size exceeds limit is seen in the VMware NSX UI
search cancel

Alarm for Group size exceeds limit is seen in the VMware NSX UI

book

Article ID: 317151

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

This KB provides information on "Alarm for group_size_limit_exceeded", including how total number of effective members is calculated.

Title: Alarm for group_size_limit_exceeded
Event ID: group_size_limit_exceeded
Added in release: 4.1.0
AlarmDescription:

    Purpose: Group size exceeds limit alarm warns the user when the program needs long processing time due to processing large group members.
    Impact: In this case user should expect long processing time, which can lead to timeout's and outages.

There may be no alarm present in the NSX UI, but log messages may be present and can be found by:

  1. Open an SSH session to an NSX Manager
  2. Run the command cd /var/log/cloudnet/ and locate the file nsx-ccp.log
  3. Run the command cat nsx-ccp.log | grep -i "CONTAINER_WARNING" |less 
  4. The output will look similar to the example below (note date, time, and other numeric values will differ between environments):
    2025-05-21T20:19:45.751Z  WARN Owl-worker-14 ContainerEventsListenerNewImpl ####### - [nsx@6876 comp="nsx-controller" level="WARNING" subcomp="container"] CONTAINER_WARNING: Container ########-####-####-####-############ has reached the maximum IP/MAC/VIF/LSP/LRP/VM/TN/SID translations limit. Current translations count in Container = IPs:#####, MACs:#####, VIFS:#####, LSPs:#####, LRPs:#, SecurityIDs:#.For optimal system performance, translations in a container should not exceed ##### 

Group membership calculation up to NSX 4.2.1:
The total number of effective members in a group = IP addresses + MAC addresses + VIFs (virtual interfaces) + LSPs (logical switch ports) + LRPs (logical router ports) + SIDs (security identifiers)

When a VM is added to a group (e.g. via tags), its IP, MAC, VIF, and LSP are added to a group automatically.

For example, a tag is configured as a criteria in a group. There are 2600 VMs tagged with the tag. Each VM has 2 IPs (an IPv4 and IPv6 address), a VIF, a MAC, and a LSP. NSX calculates the effective member of the groups as follows:
Total number of effective member = 2600 x 2 (IP) + 2600 x 1 (VIF) + 2600 x 1 (MAC) + 2600 x 1 (LSP) = 13000

The total above exceeds the group limit for a Large NSX Manager. An alarm for group_size_limit_exceeded is shown in UI.

NOTE: Certain NSX deployment sizes have different limitations on Group Member sizes

For group membership calculation in NSX 4.2.2 or later please see NSX 4.2.2 Release Notes for details (only IP addresses (both IPv4 and IPv6) are counted as effective member).


For group membership calculation in NSX 4.1.0 and earlier please see VMware NSX 4.1.0 Release Notes.

 

Environment

VMware NSX 4.1.0 or above

Cause

Possible causes for the alarm to trigger can be:

  • Environment upgrades (both hardware and software based)
  • vMotion
  • Traffic within the environment increases or a large scale request was present
  • The group has more members then the total effective member limit
  • A configuration change is implemented for that group

Resolution

1. Go to the group alarm, get the Group name.
2. Go to Inventory/Groups and find the oversized Group based on the name.
3. Edit the Group (reduce the Group size or split this Group to multiple smaller Groups).
    

Additional Information

Maintenance window required for remediation?
     No

API reference: https://{nsx-ip}/api/v1/alarms?feature_name=groups

Powered by Wolken Software