NSX-T Virtual Interface remains as effective group member after unselecting it
book
Article ID: 322579
calendar_today
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
You have NSX-T 3.1.2 deployed.
When unselecting the VIF (Virtual Interface) from the group and it keeps as an effective member of the group.
Steps to reproduce:
Unselecting the VIF: NSX UI > Inventory > Groups > Click on ellipsis for the group > Edit > Members > Members tab > Unselect the VIF.
Apply and Save the group modifications.
When selecting the "View Members" on the group edited above, it shows the unselected VIF is still a member of the group:
If you then edit the group again, it shows the VIF as unselected.
You can use the following NSX-T REST API to get all the groups, then identify the group in question:
GET /api/v1/ns-groups
Then use the following API with the group ID found above to check it:
GET /api/v1/ns-groups/<group-id>
Note: The REST API shows the VIF we attempted to remove as still part of the group.
Environment
VMware NSX-T Data Center 3.x VMware NSX-T Data Center
Cause
The issue occurs when the realization of the group was not happening correctly, the VIF was removed from policy, but not from manager.
Resolution
The issue is resolved in NSX-T 3.1.3 available at VMware Downloads.
Workaround: You can workaround this issue by using "Segment Ports" or "Virtual Machines" categories as group members instead of VIFs.
Additional Information
Impact/Risks: The unselected VIF will continue as an effective member of the group and therefore it will get the policies/rules applied for that group.