NSX-T IDFW rule enforcement stops
Article ID: 322471
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
- You are using NSX-T IDFW (Identity Firewall) and have log scrapping enabled.
- This was working until recently.
- When the AD (Active Directory) user logs in, the firewall rules are not enforced anymore.
- Log entries: /var/log/proton/nsxapi.log:
2022-11-10T19:34:37.320Z ERROR EventLogWatcher-173 EventLogScraper 9368 FIREWALL [nsx@6876 comp="nsx-manager" errorCode="MP39006" level="ERROR" subcomp="manager"] Error handling login/ logout events of event log scraper for (EventLogServer//infra/firewall-identity-stores/39cb6196-0d56-####-####-########ff6/event-log-servers/08c653cd-c359-####-####-########d41: EXAMPLE, example.net)com.google.common.util.concurrent.UncheckedExecutionException: java.lang.RuntimeException: Error fetching parent groups for user: CN=nsxmgr,OU=IT Admin...Caused by: javax.naming.CommunicationException: Connection reset...Caused by: javax.net.ssl.SSLException: Connection reset...Suppressed: java.net.SocketException: Broken pipe (Write failed)...Caused by: java.net.SocketException: Connection reset
Environment
VMware vDefend Firewall
Cause
The connection to the AD server was reset when NSX-T tried to get the login user's parent groups.
The 'ldapContext' is cached, when the connection is broken, the old information is not discarded.
The 'ldapContext' is cached, when the connection is broken, the old information is not discarded.
Resolution
This issue is resolved in VMware NSX 3.2.3 and 4.1, available at Broadcom downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.
Workaround:
1. Reboot the NSX-T managers one by one.
2. Before rebooting a manager, make sure the cluster is up and healthy, as admin on the NSX-T manager cli, run:
get cluster status -> ensure all services are upFeedback
Yes
No
Powered by
