DFW Rule Realization may fail when adding certain AppIDs to DFW Context Profile

Products

VMware Cloud on AWS VMware Cloud on Dell EMC

Issue/Introduction

Explain behavior observed when using an unsupported AppID.

Symptoms:
In a Datacenter running VMC version 1.20v1/v2/v3/v4 DFW rule realization may fail when adding the following AppIDs to DFW Context Profile

AMAZON_AWS
CORBA
IBM
MS_DS_SMBV3
MSSMS
NAGIOS
NETBIOSDG
NETBIOSSS
SNMP_TRAP
SNMPV2
SNMPV3
WEBAV

The following log lines will be printed in policy logs
<DATE>T<TIME>Z INFO com.vmware.nsx.management.policy.policyframework.realization.StatusTracker RealizationStateServiceImpl 9629 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Returning current realization status 'Status = 'ERROR', Message = ''6' transport nodes have reported errors.', TNs = '[TN = '<TN>', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '<TN>', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '<TN>', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '<ID>', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '<TN>', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '<TN>', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'.]', Pending Changes = '[]'.' for entity 'FirewallSection/<ID>'.

<DATE>T<TIME>Z INFO com.vmware.nsx.management.policy.policyframework.realization.StatusTracker StatusTrackerHelperService 9629 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Updating GPRR /infra/realized-state/enforcement-points/vmc-enforcementpoint/firewalls/firewall-sections/cgw.URL_FILTER with publish status: ERROR
<DATE>T<TIME>Z INFO com.vmware.nsx.management.policy.policyframework.realization.StatusTracker StatusTrackerHelperService 9629 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Updated GPRR with Publish status ERROR.

Error message seen in Proton logs:
<DATE>T<TIME>Z INFO http-nio-127.x.x.x-7440-exec-18 TransportNodeResponseHelper 4386 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" reqId="<reqID>f" subcomp="manager" username=email@vmware.com] Transport node realization summary for entity 'FirewallSection/ID'. ERROR = '[<ID>,<ID>]', IN_PROGRESS = '[]', UNKNOWN = '[]'.

20<DATE>T<TIME>Z INFO http-nio-127.0.0.1-7440-exec-18 RealizationStateServiceImpl 4386 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" reqId="<reqID>" subcomp="manager" username=[email protected]] Returning current realization status 'Status = 'ERROR', Message = ''2' transport nodes have reported errors.', TNs = '[TN = 'TN', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '<ID>', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'.]', Pending Changes = '[]'.' for entity 'FirewallSection/ID'.

NSX UI will report a error in UI for rules having the unsupported AppID as shown below:
For example, add WEBAV attribute to CONTEXT PROFILE named TEST_APP_IDS.

Apply this context profile to URL_FILTER in Distributed Firewall. After published, it will finally show "failed" in the UI.

Additional details available in the UI:

Context Profile Status:

Cause

NSX-T 4.0.1 / 4.0.1.1 / 4.1 or VMC version 1.20v1/v2/v3/v4 does not support the above mentioned list of AppIDs mentioned under the section Symptoms.

Resolution

This is a known issue impacting VMC version 1.20v1/v2/v3/v4 . VMware will address this issue in upcoming NSX-T & VMC releases

Workaround:
Remove the conflicting AppID and re-publish