SNI-based Virtual Servers/Load Balancer stops working after the NSX-T Edge Upgrade.
Article ID: 324181
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- NSX-T Data Center 3.1.0 or 3.0.x
- Load Balancer and Virtual server show up as "Unknown" post NSX-T Edge Upgrade.
- The following logs may be observed on the Edge at /var/log/syslog
2022-xx-xxTxx:04:13.024274+00:00 edge-1 NSX 9087 LB [nsx@6876 comp="nsx-edge" subcomp="nsx-edge-lb.lb" level="ERROR" errorCode="EDG9999999"] [xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx] init_by_lua error: error loading module 'ruleset' from file '/config/vmware/edge/lb/etc/<lb-uuid>/ruleset.lua':#012#011.../lb/etc/<lb-uuid>/ruleset.lua:213266: main function has more than 65536 constants#012stack traceback:#012#011[C]: at 0x656154a0e180#012#011[C]: in function 'require'#012#011init_by_lua:3: in main chunk
- Pool status shows as "down" and Pool member status shows as "unused"
edge-1> get load-balancer <Lb-UUID> pool <Pool UUID> status
<Snip>
Pool <<<
UUID : <LB-UUID>
Display-Name : ingress-https
Status : down
Total-Members : 2
<Snip>
Member <<<<<
Display-Name : pool member-1
Type : primary
IP : xx.xx.xx.2
Port : 8080
Status : unused
Member
Display-Name : pool member-2
Type : primary
IP : xx.xx.xx.3
Port : 8080
Status : unused
Environment
VMware NSX-T Data Center
Cause
During rule set generation for SNI VIPs, there is a processing logic fault which in large environments can result in reaching the max value of 65536. This issue is resolved by only generating rule sets for SSL default server or non SSL server to avoid the duplicated rules.
Resolution
This issue is resolved in NSX-T Data Center 3.1.1.
Additional Information
Impact/Risks:
Data path impact, Load-Balancer stops processing traffic.
Data path impact, Load-Balancer stops processing traffic.
Feedback
Yes
No
Powered by
