Distributed Firewall stays in Publishing state with certain firewall configurations in NSX
search cancel

Distributed Firewall stays in Publishing state with certain firewall configurations in NSX

book

Article ID: 318252

calendar_today

Updated On:

Products

VMware NSX for vSphere

Issue/Introduction

  • Distributed Firewall stays in publishing state with certain firewall configuration.
  • Distributed Firewall User Interface (UI) displays a message on the top of the page similar to:

    Publishing rules
     
  • In the NSX Manager logs, you see entries similar to:

    2017-11-19 18:01:42.161 PST ERROR TaskFrameworkExecutor-4 FirewallMessagingManager:118 - Exception while publishing rule set to cluster: domain-c243.
    com.vmware.vshield.vsm.ip.utils.InvalidNumMaskBitsException: core-services:1427:Invalid IP mask bits specified. Number of bits provided is 0.
            at com.vmware.vshield.vsm.ip.utils.IPv4Address.checkNumMaskBits(IPv4Address.java:55)
            at com.vmware.vshield.vsm.ip.utils.IPv4Address.<init>(IPv4Address.java:250)
            at com.vmware.vshield.vsm.ip.utils.IPv4Address.getNetworkAddress(IPv4Address.java:309)
            
    2017-11-19 18:01:42.165 PST INFO TaskFrameworkExecutor-4 EventHelper:144 - SysEvent-Detailed-Message :(Kept only in logs) :: com.vmware.vshield.vsm.ip.utils.InvalidNumMaskBitsException: core-services:1427:Invalid IP mask bits specified. Number of bits provided is 0.
    2017-11-19 18:01:42.170 PST INFO TaskFrameworkExecutor-12 ScheduleSynchronizer:60 - Releasing a thread to executor pool and executor pool active count 2
    2017-11-19 18:01:42.171 PST INFO TaskFrameworkExecutor-4 SystemEventDaoImpl:134 - [SystemEvent] Time:'Sun Nov 19 18:01:42.165 PST 2017', Severity:'Critical', Event Source:'domain-c243', Code:'301503', Event Message:'Failed to publish firewall configuration version 1511143300499 to cluster domain-c243. Refer logs for details.', Module:'vShield Firewall', Universal Object:'false'
    2017-11-19 18:01:42.178 PST ERROR TaskFrameworkExecutor-4 SimpleTaskManager:144 - Error during publish Task AppNotificationHandler.
    org.springframework.transaction.TransactionSystemException: Could not commit JPA transaction; nested exception is javax.persistence.RollbackException: Transaction marked as rollbackOnly

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.



Environment

VMware NSX for vSphere 6.3.x

Cause

This issue occurs because in NSX for vSphere 6.3.4 and 6.3.5, certain configuration with include and exclude list of IP Sets are unable to process the firewall rules.

Resolution

This issue is resolved in:


Workaround:
To work around this issue if you do not want to upgrade, divide the subnet so that /0 does not need to be used.

Note: This issue will be seen whenever /0 subnet is used.

Powered by Wolken Software