NSX-T DFW rules are not applied to VMs in security only environments
Article ID: 317753
Updated On:
Products
VMware NSX
Issue/Introduction
- NSX-T security only i.e. DFW applied to vDS portgroups.
- DFW is not working as expected on certain VMs, the issue started after the vmotion of those VMs.
- In the NSX UI the DFW rules are published with status of Success.
- The DFW rules published in the NSX UI are not represent on VM on the ESXi, use the below command to view rules at the dataplane level (ESXi host):
[root@esx-04:~]summarize-dvfilter | grep -A 9 UPSAv2-02.eth0 port ####### UPSAv2-02.eth0 vNic slot 2 name: nic-########-eth0-vmware-sfw.2 agentName: vmware-sfw state: IOChain Attached vmState: Attached failurePolicy: failClosed serviceVMID: 4 filter source: Dynamic Filter Creation moduleName: nsxt-vsip-########
Note: In the above command the VM we are checking for rules is: UPSAv2-02
[root@esx-04:~]vsipioctl getrules -f nic-#########-eth0-vmware-sfw.2 No rules.
Note: In the above command the slot 2 filter found for the VM in the previous command is used to display the DFW rules pushed down to the VM.
- The vmState from the summarize-dvfilter command may be either attached or detached.
- In ESXi log nsx-syslog.log we see the following ERROR's:
2023-01-12T12:52:15.691Z nsx-opsagent[2109286]: NSX 2109286 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="2109776" level="INFO"] [DoMpVifAttachRpc] Setting extra-configs of logical-port a8ebde8d-####-####-####-##########70 to enable security on dvport 462 2023-01-12T12:52:15.691Z nsx-opsagent[2109286]: NSX 2109286 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="2109776" level="INFO"] [PortOp] Adding [com.vmware.port.extraConfig.security.enable] value [true] 2023-01-12T12:52:15.691Z nsx-opsagent[2109286]: NSX 2109286 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="2109776" level="ERROR" errorCode="MPA44205"] [PortOp] Port set for extraConfig property [com.vmware.port.extraConfig.security.enable] operation failed, error code [bad0003] 2023-01-12T12:52:15.691Z nsx-opsagent[2109286]: NSX 2109286 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="2109776" level="INFO"] [PortOp] Adding [com.vmware.port.extraConfig.vnic.external.id] value [682587291] 2023-01-12T12:52:15.691Z nsx-opsagent[2109286]: NSX 2109286 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="2109776" level="ERROR" errorCode="MPA44205"] [PortOp] Port set for extraConfig property [com.vmware.port.extraConfig.vnic.external.id] operation failed, error code [bad0003] 2023-01-12T12:52:15.691Z nsx-opsagent[2109286]: NSX 2109286 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="2109776" level="INFO"] [PortOp] Adding [com.vmware.port.extraConfig.opaqueNetwork.id] value [ea084523-####-####-####-##########95] 2023-01-12T12:52:15.691Z nsx-opsagent[2109286]: NSX 2109286 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="2109776" level="ERROR" errorCode="MPA44205"] [PortOp] Port set for extraConfig property [com.vmware.port.extraConfig.opaqueNetwork.id] operation failed, error code [bad0003] 2023-01-12T12:52:15.691Z nsx-opsagent[2109286]: NSX 2109286 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="2109776" level="INFO"] [PortOp] Adding [com.vmware.port.extraConfig.logicalPort.id] value [a8ebde8d-####-####-####-##########70] 2023-01-12T12:52:15.691Z nsx-opsagent[2109286]: NSX 2109286 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="2109776" level="ERROR" errorCode="MPA44205"] [PortOp] Port set for extraConfig property [com.vmware.port.extraConfig.logicalPort.id] operation failed, error code [bad0003] 2023-03-09T22:32:56.542Z nsx-opsagent[2333832]: NSX 2333832 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="nsxa" tid="2346825" level="ERROR" errorCode="MPA44205"] [PortOp] Failed [3] times to set port [72] extra-configs, error [bad0003]
Environment
VMware NSX-T Data Center
Cause
This issue occurs when trying to apply the NSX-T extra configuration (com.vmware.port.extraConfig.security.enable,
com.vmware.port.extraConfig.vnic.external.id, com.vmware.port.extraConfig.opaqueNetwork.id and com.vmware.port.extraConfig.logicalPort.id) to enable security on a distributed port that is not yet in an active or valid state.
The log entry Failed [3] times to set port [72] extra-configs, error [bad0003] indicates it has tried to apply the extra configuration a few times and this is failed.
com.vmware.port.extraConfig.vnic.external.id, com.vmware.port.extraConfig.opaqueNetwork.id and com.vmware.port.extraConfig.logicalPort.id) to enable security on a distributed port that is not yet in an active or valid state.
The log entry Failed [3] times to set port [72] extra-configs, error [bad0003] indicates it has tried to apply the extra configuration a few times and this is failed.
Resolution
This issue is resolved in VMware NSX-T Data Center 3.2.2.1, 3.2.3 and VMware 4.1.1, available at Broadcom downloads
Workaround
- Connect the identified virtual machine to a different network (portgroup) and connect back to target portgroup.
- If the issue persists after trying this workaround, please open a support request with Broadcom Support and reference this KB.
Feedback
Yes
No
Powered by
