Symptoms:

Error: Failed to finish host migration [Reason: SecurityGroup failed with '400: The total of IPAdressExpressions, MACAddressExpressions, paths in a pathExpression and external IDs in ExternalIDExpression should not exceed 500. for url: http://localhost:6440/policy/api/v1/infra/domains/default/groups/L2_IPfix_Group

• finalize-infra call failed on the setup as part of the post migration tasks.

Error from /var/log/migration-coordinator/migration-coordinator.log:
 
2021-04-17T13:12:18.553Z  INFO task-executor-0 UpgradeServiceImpl - SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="upgrade-coordinator"] Triggering POST Upgrade for component HOST ...
2021-04-17T13:12:18.553Z  INFO task-executor-0 PluginManager - SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="upgrade-coordinator"] Invoking post upgrade for component HOST
2021-04-17T13:12:18.553Z  INFO task-executor-0 InfrastructurePlugin - SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="migration-coordinator"] Invoking command [/usr/bin/python3, main.py, -c, /var/log/migration-coordinator/v2t/config.json, -s, finalize-infra, runtime]
2021-04-17T13:13:42.170Z  INFO task-executor-0 InfrastructurePlugin - SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="migration-coordinator"] Result: 1
2021-04-17T13:13:42.171Z ERROR task-executor-0 UpgradeServiceImpl - SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP30042" level="ERROR" subcomp="upgrade-coordinator"] Error during post upgrade: null
com.vmware.nsx.management.upgrade.exceptions.UpgradeUnitUpgradeException: null
 at com.vmware.nsx.management.upgrade.plugin.infrastructure.InfrastructurePlugin.postUpgrade(InfrastructurePlugin.java:1968) ~[libmc-plugins.jar:?]
 at com.vmware.nsx.management.upgrade.pluginframework.PluginManager.triggerPostUpgrade(PluginManager.java:106) ~[libuc-core.jar:?]
 at com.vmware.nsx.management.upgrade.service.impl.UpgradeServiceImpl.executePostUpgradeActions(UpgradeServiceImpl.java:1335) ~[libuc-core.jar:?]
 at com.vmware.nsx.management.upgrade.executionengine.ExecutionMonitorServiceImpl.onComponentComplete(ExecutionMonitorServiceImpl.java:156) ~[libuc-core.jar:?]
 at com.vmware.nsx.management.upgrade.executionengine.GroupWorkItem.done(GroupWorkItem.java:96) ~[libuc-core.jar:?]
 at com.vmware.nsx.management.common.executor.TaskExecutorImpl$TaskWrapper.done(TaskExecutorImpl.java:250) ~[libmp_common.jar:?]
 at java.util.concurrent.FutureTask.finishCompletion(FutureTask.java:384) ~[?:1.8.0_251]
 at java.util.concurrent.FutureTask.set(FutureTask.java:233) ~[?:1.8.0_251]
 at java.util.concurrent.FutureTask.run(FutureTask.java:274) ~[?:1.8.0_251]
 at com.vmware.nsx.management.common.executor.TaskExecutorImpl$TaskWrapper.run(TaskExecutorImpl.java:271) ~[libmp_common.jar:?]
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_251]
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_251]
 at java.lang.Thread.run(Thread.java:748) [?:1.8.0_251]
 
Error from post_infra.log:
 
Starting config validation
Configuration validated successfully
[nsxv-manager] Please provide password for username admin: [vc] Please provide password for username [email protected]:
STATUS: error
 
ERRORS:
{'category': 'Unexpected error', 'error': "SecurityGroup failed with '400: The total of IPAdressExpressions, MACAddressExpressions, paths in a PathExpression and external IDs in ExternalIDExpression should not exceed 500. for url: http://localhost:6440/policy/api/v1/infra/domains/default/groups/L2_Ipfix_Group_1'"}
Traceback (most recent call last):
  File "main.py", line 158, in <module>
    main(sys.argv)
  File "main.py", line 138, in main
    opts.runtime_object_id)
  File "/opt/vmware/migration-coordinator-tomcat/bin/v2t/config-migrator/engine/xlate_engine.py", line 29, in wrapper
    return function(*args, **kwargs)
  File "/opt/vmware/migration-coordinator-tomcat/bin/v2t/config-migrator/engine/xlate_engine.py", line 801, in runtime
    object_type=object_type, object_id=object_id)
  File "/opt/vmware/migration-coordinator-tomcat/bin/v2t/config-migrator/engine/xlate_engine.py", line 268, in _finalize_stage
    raise exception
  File "/opt/vmware/migration-coordinator-tomcat/bin/v2t/config-migrator/engine/xlate_engine.py", line 772, in runtime
    status = plugin.runtime(stage, object_type, object_id)
  File "/opt/vmware/migration-coordinator-tomcat/bin/v2t/config-migrator/plugins/securitygroup_plugin.py", line 683, in runtime
    policy_group_mappings, discovered_vms, discovered_vifs)
  File "/opt/vmware/migration-coordinator-tomcat/bin/v2t/config-migrator/plugins/securitygroup/sg_utils.py", line 967, in update_group_memberships
    updated_group = get_and_update_group(url, vms_to_be_added, vifs_to_be_added)
  File "/usr/lib/python3/dist-packages/tenacity/__init__.py", line 214, in wrapped_f
    return self.call(f, *args, **kw)
  File "/usr/lib/python3/dist-packages/tenacity/__init__.py", line 295, in call
    start_time=start_time)
  File "/usr/lib/python3/dist-packages/tenacity/__init__.py", line 265, in iter
    raise RetryError(fut).reraise()
  File "/usr/lib/python3/dist-packages/tenacity/__init__.py", line 344, in reraise
    raise self.last_attempt.result()
  File "/usr/lib/python3.6/concurrent/futures/_base.py", line 425, in result
    return self.__get_result()
  File "/usr/lib/python3.6/concurrent/futures/_base.py", line 384, in __get_result
    raise self._exception
  File "/usr/lib/python3/dist-packages/tenacity/__init__.py", line 298, in call
    result = fn(*args, **kwargs)
  File "/opt/vmware/migration-coordinator-tomcat/bin/v2t/config-migrator/plugins/securitygroup/sg_utils.py", line 893, in get_and_update_group
    response = t_utils.NsxPolicyUtils().put(url, group)
  File "/opt/vmware/migration-coordinator-tomcat/bin/v2t/config-migrator/clients/t_utils.py", line 43, in put
    return api_client.put(url, body)
  File "/opt/vmware/migration-coordinator-tomcat/bin/v2t/config-migrator/clients/base_client.py", line 272, in put
    params=params, headers=non_session_headers)
  File "/opt/vmware/migration-coordinator-tomcat/bin/v2t/config-migrator/clients/base_client.py", line 246, in _rest_call
    raise DetailedHttpError(response)
clients.base_client.DetailedHttpError: 400: The total of IPAdressExpressions, MACAddressExpressions, paths in a PathExpression and external IDs in ExternalIDExpression should not exceed 500. for url: http://localhost:6440/policy/api/v1/infra/domains/default/groups/L2_Ipfix_Group_1
 

NSX-T Security Groups cannot have more than 500 static members

Issue is resolved in NSX-T 3.2.1

Workaround:

• To work around this issue, contact Broadcom Support and note this Article ID (319082) in the problem description.