NSX-T NSGroups can not be edited after NSX-T upgrade from 3.1.x to 3.2.1.x
Article ID: 318295
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
- You are using IDFW which contains one or more NSGroups.
- You have recently upgrade from 3.1.x to 3.2.1.x.
- When you attempt to edit the NSGroup, you receive an error such as:
realization failure, waiting for realization of {1} [/infra/domains/default/groups/<Group-name> Realization will be reattempted in next cycle (max 5 minutes)
- There is no noticeable impact and the IDFW rules still continue to apply.
Environment
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center
VMware NSX-T Data Center
Cause
In NSX-T 3.2.x the enforcement point has changed from:
This results in 2 GPRRs (Generic Policy Realized Resource) created for the same group on policy.
Note, the intent path has not changed and will not cause realization failure on dataplane or control plane.
infra/realized-state/enforcement-points/default/groups/nsgroups/identity/
To:
/infra/realized-state/enforcement-points/default/groups/nsgroups/
Notice the new path no longer contains the keyword 'identity'.This results in 2 GPRRs (Generic Policy Realized Resource) created for the same group on policy.
Note, the intent path has not changed and will not cause realization failure on dataplane or control plane.
Resolution
This issue is resolved in NSX-T 3.2.2.
Workaround:
You need to create new a NSGroup(s), with a different name and use them in IDFW rules.
Feedback
Yes
No
Powered by
