After creating Distributed Firewall Rules in NSX-T Manager UI, the rules are not visible
search cancel

After creating Distributed Firewall Rules in NSX-T Manager UI, the rules are not visible

book

Article ID: 322522

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

  •  After successfully creating a DFW Section/Rule in the Manager view in NSX UI, once refresh of the UI occurs, Section/Rule are then not visible in the UI.
  • Same behavior is also observed after successfully creating a DFW Section/Rule through the API client. 
  • In NSX-T Data Center Manager log file var/log/proton/nsxapi.log, the following messages can be seen: 
2023-07-31T12:35:09.309Z ERROR FIREWALL_UFO_PRIORITY_PROCESSOR-0 AbstractConfiguration 4838 SERVICE [nsx@6876 comp="nsx->manager" errorCode="MP0" level="ERROR" subcomp="manager"] AnchorId ########-####-####-cc72-c88bf3cac389 does not exists in config FirewallConfiguration/########-####-####-b378-0242ac131112

2023-07-31T12:35:09.309Z INFO FIREWALL_UFO_PRIORITY_PROCESSOR-0 AbstractPersistedQueueProcessor 4838 SERVICE [nsx@6876 >comp="nsx-manager" level="INFO" subcomp="manager"] Exception occurred >while processing 29 operation(s) for configId : >FirewallConfiguration/########-####-####-b378-0242ac131112, exception : >com.vmware.nsx.management.security.base.exceptions.SecurityException: Invalid section id found : >########-####-####-cc72-c88bf3cac389
at >com.vmware.nsx.management.security.base.model.AbstractConfiguration.addSectionId(AbstractConfiguration.java:150)

Environment

VMware NSX-T Data Center 3.x
VMware NSX 4.x

Cause

The newly created DFW Section/Rule are in pending state and aren't displayed on the NSX UI due to the pending operations that are shown in the above logs lines.

Resolution

This is a condition that may occur in a VMware NSX environment.

Workaround:

  • To workaround this issue, First check which task is causing the pending operations error by executing the below command from NSX manager root shell:
This command will return all the pending priority tasks which are pending in AbstractPersistedQueueProcessor.

curl -k -i -H 'X-Nsx-Username: admin' -H 'X-Nsx-Roles: enterprise_admin' -H Content-Type:application/json -X GET http://127.0.0.1:7440/nsxapi/api/v1/firewall/troubleshoot/priorities/tasks?config_type=l3_dfw
  • Then we should eliminate the pending tasks so that the remaining tasks are processed by the manager and displayed on the NSX UI, by running the below command to delete the pending priority task that's obtained from the above step: 
curl -k -i -H 'X-Nsx-Username: admin' -H 'X-Nsx-Roles: enterprise_admin' -H Content-Type:application/json -X POST http://127.0.0.1:7440/nsxapi/api/v1/firewall/troubleshoot/priorities/tasks?action=remove -d "{\"task_id\" : \"{TASKID}\"}"
Powered by Wolken Software