NSX-T Service Deployment Rules Not Applying on ESXi Hosts
search cancel

NSX-T Service Deployment Rules Not Applying on ESXi Hosts

book

Article ID: 325041

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Service deployment rules not applying on ESXi hosts
  • Slot 12 rules are not seen on the dvfilter form the ESXi command lline
  • At the NSX-T Manager GUI the deployment appears fully healthy with no issues

 

Environment

VMware NSX
VMware NSX-T Data Center

Cause

The issue can occur when then Management Plane and Control plane fall out of sync with the status of the Service Insertion status in regards to East_West

Resolution

This issue is resolved in VMware NSX 3.1.3.6, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

 

Workaround:

Confirm that the East_West statuses are out of sync in regards to Enabled/True states highlighted below using the following API Calls

  • GET https://<nsx>/api/v1/serviceinsertion/status
  • GET https://<nsx>/policy/api/v1/infra/settings/service-insertion/security/status

Example Output:

GET https://<nsx>/api/v1/serviceinsertion/status
    "context" : "east_west",
    "global_status" : "DISABLED",
    "resource_type" : "ServiceInsertionStatus",
    "id" : "a828d7##-####-####-####-######3eba1e",
    "display_name" : "status",
    "tags" : [ {
      "scope" : "policyPath",
      "tag" : "/infra/settings/service-insertion/security/status"
    "_create_user" : "system",
    "_create_time" : <epoch time>,
    "_last_modified_user" : "nsx_policy",
    "_last_modified_time" : <epoch time>,
    "_system_owned" : false,
    "_protection" : "NOT_PROTECTED",
    "_revision" : 3
  "result_count" : 2

GET https://<nsx>/policy/api/v1/infra/settings/service-insertion/security/status 
 "north_south_enabled" : true,
  "east_west_enabled" : true,
  "resource_type" : "PolicySIStatusConfiguration",
  "id" : "status",
  "display_name" : "status",
  "path" : "/infra/settings/service-insertion/security/status",
  "relative_path" : "status",
  "parent_path" : "/infra",
  "unique_id" : "<id>",
  "marked_for_delete" : false,
  "overridden" : false,
  "_create_user" : "system",
  "_create_time" : <epoch time>,
  "_last_modified_user" : "admin",
  "_last_modified_time" : <epoch time>,
  "_system_owned" : false,
  "_protection" : "NOT_PROTECTED",
  "_revision" : 2


Assuming they are out of sync as shown above proceed by using the following API calls to toggle "east_west_enabled" under "/policy/api/v1/infra/settings/service-insertion/security/status

The goal is to toggle it to false to disable it then toggle it back to true to force a resync to the rest of the infrastructure

  1. GET /policy/api/v1/infra/settings/service-insertion/security/status
  2. Change "east_west_enabled" to false and make a PUT call.
  3. GET /policy/api/v1/infra/settings/service-insertion/security/status
  4. Change "east_west_enabled" to true and make a PUT call.

Once complete check both again and we should see Enabled/True

  • GET https://<nsx>/api/v1/serviceinsertion/status
  • GET https://<nsx>/policy/api/v1/infra/settings/service-insertion/security/status

Confirm that slot 12 is now present on the dvfilter

#summarize-dvfilter | grep -i test1vm -B 3 -A 25 | grep -i eth
 port 12369696 test1vm.eth2
   name: nic-52730061-eth2-vmware-sfw.2
   name: nic-52730061-eth2-vmware-si.12  <======== Service Insertion Slot 12 now present

Additional Information

Impact/Risks:
  • Backups of NSX-T Managers should be taken prior to performing any changes via the API


Powered by Wolken Software