Firewall rules are not applied on newly deployed VMs

search cancel

Firewall rules are not applied on newly deployed VMs

book

Article ID: 317722

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
On an NSX for vSphere 6.2.7, 6.2.8, 6.3.2, 6.3.3 or 6.3.4 environment, you experience this symptom:

Firewall rules are not applied on newly deployed VMs.

Cause

This issue occurs when multiple container updates are being received within the same aggregation window of 3sec (default) and some updates are missed out while processing.

Resolution

This issue is resolved in:

VMware NSX for vSphere 6.2.9
VMware NSX for vSphere 6.3.5

Workaround:

To work around this issue if you do not want to upgrade:

Do a Force sync on the DFW rules on the affected clusters with the new VMs deployed.
Click Edit on the security group missing the VM IPs and submit with out any changes.

Additional Information

To validate if this applies to your issue:

Run this command:

vsipioctl tracevsfwd -e
Then run this command:

vsipioctl tracevsfwd -s

Note: Ensure you see the current status, the default address set aggregation timeout value is 3 seconds.
Then run this command to set the timeout value to 0:

vsipioctl tracevsfwd -c addrset-timeout -t 0
Then run this command to ensure the address set aggregation timeout value is 0 second now.

vsipioctl tracevsfwd -s
Check to see if the issue is reproducible.

To further troubleshoot this issue:

Verify that all DFW rules are being pushed using this command:

vsipioctl getfwrules -f {vNIC_filter}
Check if the IP address is added to the security groups with this command:

vsipioctl getaddrsets -f {vNIC_filter}
Verify the VM/IP translations using the following REST API:

GET https://<vsmip>/api/2.0/services/securitygroup/{securityGroupId}/translation/virtualmachines
GET https://<vsm-ip>/api/2.0/services/securitygroup/{securityGroupId}/translation/ipaddresses

Impact/Risks:
Firewall rules are not applied.

Feedback

thumb_up Yes

thumb_down No