Unable to apply DFW rules to VM in Security only install
search cancel

Unable to apply DFW rules to VM in Security only install

book

Article ID: 317167

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

  • Security only install. DFW rules will not work on VMs on ESXi host.
  • In NSX manager UI we can see that distributed ports and IP address of Group members is not visible when the VM is on affected ESXi host, due to which firewall policy does not work.
  • If the same VM is moved to different host it works.
  • In ESXi logs we can see that dvfilter is applied to VM, VIF and LSP ID is also present. In net-dvs output on ESXi host we can see the dvport for affected VMs. VIFs also have LSP ID attached but in NSX manager we do not see any reference to these LSP IDs.
  • Nsx-syslog on affected host shows that opsAgent was disconnected and after that nsxa stopped processing vifs.

    For e.g.

    nsx-opsagent[2101339]: NSX 2101339 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="2101505" level="INFO"] [updateNsxaHealth] isNsxaHealthy = down.
    nsx-opsagent[2101339]: NSX 2101339 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="2102145" level="INFO"] [updateNsxaHealth] Setting nsxa health status for security dvs [ca 9d 0f 50 98 51 70 fe-89 53 6c 88 f0 cd fb be] : up

    nsxaVim: [2101564]: INFO vifinv: processing 'vim.VirtualMachine:1' enter, vifMsg is disabled^@

Environment

VMware NSX-T Data Center
Security only installation

Cause

Issue happens when nsxa stops processing vifs. Check for "vifMsg is disabled" in /var/run/log/nsxaVim.log to confirm the issue.


nsxaVim: [2977033]: INFO vifinv: processing 'vim.VirtualMachine:25' leave, vifMsg is enabled^@
nsxaVim: [2101564]: INFO vifinv: processing 'vim.VirtualMachine:1' enter, vifMsg is disabled^@

Resolution

This issue is resolved in VMware NSX 3.2.2, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.



Workaround:

  1. Put the Esxi host having faulty VMs in maintenance mode.
  2. Invoke resync_host_config API for this Esxi host transport node,

    POST https://<nsx-mgr>/api/v1/transport-nodes/<transport-node-uuid>?action=resync_host_config

  3. Verify the following log statement in /var/log/nsxaVim.log file on the host

    "Updating vifOpMode to enable runtime vnic updates"

  4. Exit maintenance mode.

Additional Information

Impact/Risks:
No DFW security on VMs on affected host.

Powered by Wolken Software