DFW rules are not matched as expected when nested Groups are used
Article ID: 319125
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
- NSX 3.2.x or 4.x
- DFW rules use Groups which have another Group as a member (nested Group membership) or the Group itself is a member of another Group
- The DFW rule is not matched as expected
Environment
VMware NSX-T Data Center
VMware NSX
Cause
Due to a race condition in the Controller, the Group IP membership realized at the ESX dataplane is incomplete on some hosts. This results in traffic not matching the corresponding DFW rules as expected.
Resolution
This issue is resolved in VMware NSX 3.2.3.1
This issue is resolved in VMware NSX 3.2.4
This issue is resolved in VMware NSX 4.1.1
This issue is resolved in VMware NSX 4.2.0
Workaround:
There are two possible workaround options:
Option 1
To resolve the issue restart the affected NSX Controller service, note the issue may reoccur at a later time.
- On the ESXi host experiencing the problem, identify the Controller it connects to.
- From root shell run the command
nsxcli -c get controller
For example
> nsxcli -c get controllers
Controller IP Port SSL Status Is Physical Master Session State Controller FQDN
X.X.X.X 1235 enabled connected true up NA
Y.Y.Y.Y 1235 enabled not used false null NA
Z.Z.Z.Z 1235 enabled not used false null NA - ssh to the Controller identified in step 1 as admin and restart the controller service using the cli command
> restart service controller - Run get cluster status and confirm CONTROLLER is reported as STABLE with all 3 nodes UP
Option 2
To prevent the issue from reoccurring, if possible re-configure DFW rules not to use nested Groups.
After the configuration change, restart the Controller service on all 3 Managers as admin user
> restart service controller
If removing nested configuration is not possible, please open a Support Request with VMware to discuss other options.
Feedback
Yes
No
Powered by
