Deleting DFW rule(s) from the NSX-T Manager does not take effect on host
search cancel

Deleting DFW rule(s) from the NSX-T Manager does not take effect on host

book

Article ID: 322599

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
  • Deleting a DFW rule in the NSX-T manager UI works and is processed.
  • On the ESXi host, we can still see the rule using 'summarize-dvfilter' and 'vsipioctl'.
  • The delete operation was not passed down to the transport node (ESXi host).
  • The deleted DFW rule will still be enforced on the transport node and can be seen in the log 'dfwpktlogs.log'.
  • The rule has been removed on the NSX-T manager and can be verified using the following API calls:
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules
GET /api/v1/firewall/rules/


Environment

VMware NSX-T Data Center 3.x
VMware NSX-T Data Center

Cause

This issue occurs due to an incorrect internal process which prevents the CCP (Central Control Plane) from pushing down the changes to the transport node.

Resolution

This issue is resolved in NSX-T Data Center 3.2.2.

Workaround:
  1. Disable rule before deletion.
  2. Reboot all NSX Manager nodes one after the other.
    1. Before rebooting the first NSX-T manager and after each manger has been rebooted, use the admin cli 'get cluster status' to make sure the cluster is healthy before rebooting the next NSX-T manager.