NSX-T IDFW rule enforcement stops
search cancel

NSX-T IDFW rule enforcement stops

book

Article ID: 322471

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

  • You are using NSX-T IDFW (Identity Firewall) and have log scrapping enabled.
  • This was working until recently.
  • When the AD (Active Directory) user logs in, the firewall rules are not enforced anymore.
  • Log entries: /var/log/proton/nsxapi.log:
2022-11-10T19:34:37.320Z ERROR EventLogWatcher-173 EventLogScraper 9368 FIREWALL [nsx@6876 comp="nsx-manager" errorCode="MP39006" level="ERROR" subcomp="manager"] Error handling login/ logout events of event log scraper for (EventLogServer//infra/firewall-identity-stores/39cb6196-0d56-####-####-########ff6/event-log-servers/08c653cd-c359-####-####-########d41: CORP, corp.local)
 com.google.common.util.concurrent.UncheckedExecutionException: java.lang.RuntimeException: Error fetching parent groups for user: CN=nsxmgr,OU=IT Admin
...
Caused by: javax.naming.CommunicationException: Connection reset
...
Caused by: javax.net.ssl.SSLException: Connection reset
...
Suppressed: java.net.SocketException: Broken pipe (Write failed)
...
Caused by: java.net.SocketException: Connection reset



Environment

VMware NSX-T Data Center

Cause

The connection to the AD server was reset when NSX-T tried to get the login user's parent groups.
The 'ldapContext' is cached, when the connection is broken, the old information is not discarded.

Resolution

This is a known issue impacting NSX-T Data Center.

Workaround:
Reboot the NSX-T managers one by one.
Before rebooting a manager, make sure the cluster is up and healthy, as admin on the NSX-T manager cli, run:
get cluster status -> ensure all services are up
Then proceed and reboot the next manager.