Unable to Add New DFW Policy via NSX UI with Tanzu enabled
search cancel

Unable to Add New DFW Policy via NSX UI with Tanzu enabled

book

Article ID: 323709

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Unable to add new DFW Policies in the environment tab via the NSX UI after workload management (Tanzu) is enabled.
  • Error message encountered similar to "Error: Principal 'admin' with role '[enterprise_admin]' attempts to delete or modify an object nsx$CommunicationMap it doesn't own. (createUser=wcp-allow, Overwrite=null) (Error code: 500157)"
  • Using the NSX API /policy/api/v1/infra/domains/default/security-policies/{security-policy-id} , we are able to directly create a new security policy in the environment tab with the default domain.
  • Entries similar to the below are observed in var/log/syslog:

    NSX 4717 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP289" level="ERROR" subcomp="manager"] Principal 'admin' with role

    '[enterprise_admin]' attempts to delete or modify an object of type nsx$CommunicationMap it doesn't own. (createUser=wcp-cluster-user-domain-########-####-####-####-############,

    allowOverwrite=null)
    .
    .

    INFO http-nio-127.0.0.1-7440-exec-63 PolicyHierarchicalAPIUtils 4717 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Got errors during

    hierarchical patch - [{"moduleName":"common-services","errorCode":289,"errorMessage":"Principal 'admin' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx

    $CommunicationMap it doesn't own. (createUser=wcp-cluster-user-domain-########-####-####-####-############, allowOverwrite=null)"}]

    .

    .

    INFO http-nio-127.0.0.1-7440-exec-63 NsxBaseRestController 4717 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Error in API

    /nsxapi/api/v1/infra?enforce_revision_check=true caused by exception com.vmware.nsx.management.policy.policyframework.exceptions.HierarchicalCreateException:

    {"moduleName":"Policy","errorCode":500157,"errorMessage":"Error while creating objects of type:SecurityPolicy","relatedErrors":[{"moduleName":"common-

    services","errorCode":289,"errorMessage":"Principal 'admin' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$CommunicationMap it doesn't own.

    (createUser=wcp-cluster-user-domain-########-####-####-####-############, allowOverwrite=null)"}]}

     

Environment

VMware NSX-T Data Center 3.x
Vmware NSX 4.x

Cause

Default Tanzu rules created which have sequence number 1 so it is not allowed to create rules under the environment section through NSX UI.

Resolution

This issue is resolved in VMware NSX 4.1.1, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB

If you believe you have encountered this issue and are unable to upgrade, please open a support case with Broadcom Support NSX-T GSS and refer to this KB article.

For more information, see Creating and managing Broadcom support cases.

 

 

 

Powered by Wolken Software