Firewall rule publish takes longer time than usual
Article ID: 317175
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
- Too many container updates from NSX Manager to hosts:
- Example:
- 2020-11-19 15:12:15.630 GMT-00:00 INFO TaskFrameworkExecutor-29 NotificationProcessor:485 - - [nsxv@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Processing Context globalroot-0 : 0 rule updates, 455/2158 container updates, 0 spoofguard updates, 0 timer updates.
2020-11-19 15:14:49.554 GMT-00:00 INFO TaskFrameworkExecutor-29 NotificationProcessor:485 - - [nsxv@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Processing Context globalroot-0 : 0 rule updates, 512/2639 container updates, 0 spoofguard updates, 0 timer updates.
- 2020-11-19 15:12:15.630 GMT-00:00 INFO TaskFrameworkExecutor-29 NotificationProcessor:485 - - [nsxv@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Processing Context globalroot-0 : 0 rule updates, 455/2158 container updates, 0 spoofguard updates, 0 timer updates.
- Example:
- Amount to time to recompute the security group is higher, re-computation is due to inventory changes
Environment
VMware NSX for vSphere 6.4.x
Cause
As security tags accrue more objects, the amount of time for translation increases.
Due to the increased translation time, publication time increases as well.
Due to the increased translation time, publication time increases as well.
Resolution
- Reduce the number of Security Groups a particular security tag is part of.
- Upgrade to 6.4.11 as the page size was increased to 500k.
Additional Information
Impact/Risks:
No impact at Data path, however provisioning is delayed as the publish time is higher.
No impact at Data path, however provisioning is delayed as the publish time is higher.
Feedback
Yes
No
Powered by
