NSX-T Distributed Firewall rules are not applied to cloud VM(s) when using Agentless mode
search cancel

NSX-T Distributed Firewall rules are not applied to cloud VM(s) when using Agentless mode

book

Article ID: 322630

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • NSX-T Distributed Firewall rules are not applied to cloud VM(s) when using Agentless mode (Cloud Native mode). 
  • One or more DFW rule(s) is configured in a way that match the following 3 criteria:
    • Rule is applied to "Distributed Firewall".
    • Rule uses source or destination NSGroups that contains only On-prem VM(s) as members (or On-prem VM(s) + IP Set(s))
    • On-prem VM(s) in the NSGroups have multiple IP addresses.
  • NSX Public Cloud Gateway logs (syslog.log) display message(s) similar to:
<179>1 2019-11-26T00:20:00.789Z Autoimport-nsx-public-cloud-gateway NSX 1825 CLOUD-SERVICES [nsx@6876 comp="nsx-public-cloud-gateway" errorCode="PCG50826" level="ERROR" subcomp="public-cloud-manager"] Security Service -> Nsx rules processing failed for cloud-network vpc-XXXXXXXX

Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 2.x
VMware NSX-T

Cause

The issue is caused by a software error that occurs when the Symptoms listed in the above category are matched resulting in DFW rule(s) realization issue when using Agentless mode (Cloud Native mode).

Resolution

This issue is resolved in NSX-T Data Center 2.5.1.

Workaround:
As a workaround, change the apply to of the DFW rules matching the symptoms listed in the Symptoms section.

Powered by Wolken Software