NSX-T IDFW rules are not working as expected

search cancel

NSX-T IDFW rules are not working as expected

book

Article ID: 324238

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:

NSX-T 3.1.0/3.1.1/3.1.2/3.1.2.1.
On the NSX UI, the source VM is not populated in the effective members of the AD Group after an AD user logs onto the source VM.
The AD user's Distinguished Name (dname) contains a special character.
NSX Manager log /var/log/proton/nsxapi.log has the logon event but the user is not mapped to any group

2021-05-17T19:54:24.469Z INFO IDFW-Vertical1 UserToParentGroupsCache 5573 INVENTORY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Loading user from LDAP: CN=Doe\, John (VDI User),OU=corp,DC=local
2021-05-17T19:54:25.385Z INFO IDFW-Vertical1 IdfwEventProcessorImpl 5573 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 1/1: no mapping to add, none of user's parent AD-group(s) are in any NSGroup

Environment

VMware NSX-T Data Center 3.x
VMware NSX-T Data Center

Cause

Active Directory requires that the following ten characters be escaped with the backslash "\" escape character if they appear in any of the individual components of a distinguished name:

Comma ,
Backslash character \
Pound sign (hash sign) #
Plus sign +
Less than symbol <
Greater than symbol >
Semicolon ;
Double quote (quotation mark) "
Equal sign =
Leading or trailing spaces

Due to a processing issue, these characters are not handled correctly.
This prevents the user being matched to the AD Group, in turn no translation occurs to map the login with the Grouping object and the IDFW rule will not be applied.

Resolution

This issue is resolved in NSX-T Data Center 3.1.3, available from VMware Downloads.

Workaround:
If an upgrade is not possible, the only workaround is to create a new user that does not use the special characters in its dname or edit an existing users to remove those characters.

Feedback

thumb_up Yes

thumb_down No