NSX Security Groups or Security Policy page reports the status "In Progress" for extended period of time
search cancel

NSX Security Groups or Security Policy page reports the status "In Progress" for extended period of time

book

Article ID: 321349

calendar_today

Updated On:

Products

VMware NSX for vSphere

Issue/Introduction

Symptoms:
  • After deleting an Active Directory Group, if that Active Directory group was part of a NSX Security Group or Security Policy for firewall rules, the Security Policies page may show a constant status of "In Progress."

  • In addition, firewall rules based on Security Groups may no longer function or firewall rule changes may no longer be published.


Environment

VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x

Cause

This issue occurs when an Active Directory group that is used to dynamically populate an NSX Security Group is deleted without the Security Group being modified, NSX may get into a situation where the firewall rules are not published and therefore no longer provide the protections and access intended.

To verify if a Security Group is still pointing to an AD group that no longer exists:
  1. Connect to the NSX Manager through SSH and log in with admin credentials.
  2. Type "en" and re-enter the admin password when prompted.
  3. Type "st en" and follow the prompts, entering the Engineering Mode password. For more information, see Tech Support Access in NSX for vSphere 6.x (2149630).
  4. Type "psql -U secureall" and press Enter.
  5. At the psql prompt type the below query.  All on a single line, ensure the semi-colon is at the end:

    select dtype, objectid, name, objecttype, source_id, source_type, target_id, target_type, relationship from domain_object join domain_object_relationships on domain_object_relationships.source_id = domain_object.objectid where domain_object.dtype = 'SecurityGroup' and domain_object_relationships.target_type = 'DirectoryGroup' and target_id in (select objectid from domain_object where objectid not in (select objectid from ai_group_do) and domain_object.dtype = 'DirectoryGroup');

    You will retrieve results similar to:

         dtype     |     objectid     |       name       |  objecttype   |    source_id     |  source_type  |      target_id      |  target_type   |           relationship
    ---------------+------------------+------------------+---------------+------------------+---------------+---------------------+----------------+-------------------------
     SecurityGroup | securitygroup-39 | SecurityGroup_Name | SecurityGroup | securitygroup-39 | SecurityGroup | directory_group-360 | DirectoryGroup | securitygroup_membership_include

    Note: These results are a list of all NSX Security Groups associated with Active Directory groups that no longer exist. Record all items in the column: target_id. You will use this information in the next query.

Resolution

To resolve this issue:
  1. Backup the NSX Manager information. For more information, see the Back Up NSX Manager Data section of the NSX Upgrade Guide.
  2. With the information gathered in Step 5 above, create the below query. If you have more than one target_id, you will have to run this command once for each target_id found in Step 5:

    delete from domain_object where objectid = '<target_id>';

    For example:

    delete from domain_object where objectid = 'directory_group-360';
     
  3. Restart the NSX Manager.


Powered by Wolken Software