Firewall rule publishing fails after upgrading to NSX-v 6.3.3 with the error: Invalid rule tag
Article ID: 318601
Updated On:
Products
VMware NSX for vSphere
Issue/Introduction
Symptoms:
After upgrading to NSX for vSphere 6.3.3, you experience these symptoms:
After upgrading to NSX for vSphere 6.3.3, you experience these symptoms:
- Publishing a firewall rule fails.
- You see an error similar to:
Publishing of rule set has failed. Please see the tech support logs.
[Error Details: Invalid rule tag : <tag> at index <rule index>, rule type: LAYER3. Rule tags only allowed for rule applied to DFW.]
Environment
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.2.x
Cause
With NSX Distributed Firewall, it is possible to add a "Tag" value to rules.
The Tag column is not displayed by default on the NSX Firewall page.
From the Flash client, select the "Column" icon to the top of the rule table, and checking the "Tag" box.
If you are using the new HTML5 client, you can view the tag by clicking the "Advanced Settings" option on the right hand side of the rule.
If a rule that has a "Tag" value assigned is applied to the Edge Service Gateway (shown in the Applied To column), then after upgrading to NSX for vSphere 6.3.3, publishing rules will fail returning the error.
Resolution
This is a known issue affecting VMware NSX for vSphere 6.2.x and 6.3.x.
Currently, there is no resolution.
Workaround:
To work around this issue, remove the "Tag" value for any Distributed Firewall rules that are applied to an Edge Services Gateway.
Currently, there is no resolution.
Workaround:
To work around this issue, remove the "Tag" value for any Distributed Firewall rules that are applied to an Edge Services Gateway.
Feedback
Yes
No
Powered by
