DFW rules are removed after rebooting a host that uses the time based DFW rules
Article ID: 321192
Updated On:
Products
VMware NSX
Issue/Introduction
When using the time based firewall feature on a host, and that same host is rebooted, you experience these symptoms:
- Any firewall rules configured disappears.
- After the reboot, the NSX Manager UI displays a realization error similar to:
NTP not running.
Environment
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center
VMware NSX-T Data Center
Cause
For time based firewall to work, the host must be in sync with the NTP server. Just after the host restarts, all local daemons including NTPD starts running but NTP daemon might take some time to make the host in sync with the NTP server.
If before the reboot, this particular host had firewall configuration with time based rules, this firewall configuration will also be tried to be applied after the reboot, but if that happens before the host is in sync with NTP server, the whole firewall configuration fails resulting with no firewall rule getting configured on the host.
If before the reboot, this particular host had firewall configuration with time based rules, this firewall configuration will also be tried to be applied after the reboot, but if that happens before the host is in sync with NTP server, the whole firewall configuration fails resulting with no firewall rule getting configured on the host.
Resolution
This is a known issue affecting VMware NSX.
To work around this issue, use dynamic updates.
Alternatively, disable the time based rules on the NSX Manager User Interface during the time the host is not in synched with an NTP server and enable them again later when the host becomes sync with the NTP server.
Feedback
Yes
No
Powered by
