NSX-T IDFW rule enforcement stops
search cancel

NSX-T IDFW rule enforcement stops


Article ID: 322471


Updated On:


VMware NSX Networking


  • You are using NSX-T IDFW (Identity Firewall) and have log scrapping enabled.
  • This was working until recently.
  • When the AD (Active Directory) user logs in, the firewall rules are not enforced anymore.
  • Log entries: /var/log/proton/nsxapi.log:
2022-11-10T19:34:37.320Z ERROR EventLogWatcher-173 EventLogScraper 9368 FIREWALL [nsx@6876 comp="nsx-manager" errorCode="MP39006" level="ERROR" subcomp="manager"] Error handling login/ logout events of event log scraper for (EventLogServer//infra/firewall-identity-stores/39cb6196-0d56-4675-9a6a-8120f6f24ff6/event-log-servers/08c653cd-c359-4586-b044-1e6620573d41: CORP, corp.local)
 com.google.common.util.concurrent.UncheckedExecutionException: java.lang.RuntimeException: Error fetching parent groups for user: CN=nsxmgr,OU=IT Admin
Caused by: javax.naming.CommunicationException: Connection reset
Caused by: javax.net.ssl.SSLException: Connection reset
Suppressed: java.net.SocketException: Broken pipe (Write failed)
Caused by: java.net.SocketException: Connection reset


VMware NSX-T Data Center


The connection to the AD server was reset when NSX-T tried to get the login user's parent groups.
The 'ldapContext' is cached, when the connection is broken, the old information is not discarded.


This is a known issue impacting NSX-T Data Center.

Reboot the NSX-T managers one by one.
Before rebooting a manager, make sure the cluster is up and healthy, as admin on the NSX-T manager cli, run:
get cluster status -> ensure all services are up
Then proceed and reboot the next manager.