NCP 2.5.0 may not apply Security Policy updates to NSX-T DFW
Article ID: 327298
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
The following conditions are met:
The following conditions are met:
- Container environments running NSX Container Plugin (NCP) 2.5.0
- When a Security Policy is created, updated and then updated again to restore the original configuration, the final configuration change is not reflected on the NSX-T DFW
Example scenario
- Create a Security Policy
e.g. Allow traffic on port 443
The Distributed Firewall Section and Rule is confirmed to be present in NSX-T
- Edit the Security Policy
e.g. Change the allowed traffic from port 443 to port 80
The Distributed Firewall Rule is updated in NSX-T
- Edit the Security Policy to change it back to the original configuration
In this example the Security Policy is changed to allow traffic on port 443
The DFW Rule is not updated in NSX-T and continues to show the last edit, allow port 80
- Create a Security Policy
e.g. Allow traffic on port 443
The Distributed Firewall Section and Rule is confirmed to be present in NSX-T
- Edit the Security Policy
e.g. Change the allowed traffic from port 443 to port 80
The Distributed Firewall Rule is updated in NSX-T
- Edit the Security Policy to change it back to the original configuration
In this example the Security Policy is changed to allow traffic on port 443
The DFW Rule is not updated in NSX-T and continues to show the last edit, allow port 80
Environment
VMware NSX-T Data Center 2.5.x
VMware NSX-T Data Center
VMware NSX-T Data Center
Cause
This problem behaviour is observed only in the specific scenario of reverting a Security Policy to its original configuration.
In the 2.5.0 NSX Container Plugin when a configuration change is made there is an issue that results in the rule hash of the Firewall section not being updated.
Because of this incorrect firewall rule hash, when the configuration change to revert to the original configuration is seen by NCP it believes NSX-T already has this same configuration and does not update NSX-T of the configuration change.
In the 2.5.0 NSX Container Plugin when a configuration change is made there is an issue that results in the rule hash of the Firewall section not being updated.
Because of this incorrect firewall rule hash, when the configuration change to revert to the original configuration is seen by NCP it believes NSX-T already has this same configuration and does not update NSX-T of the configuration change.
Resolution
This issue is resolved in NSX Container Plugin 2.5.1, available at VMware Downloads.
Workaround:
Until NCP can be upgraded the Security Policy can be deleted and recreated.
Workaround:
Until NCP can be upgraded the Security Policy can be deleted and recreated.
Feedback
Yes
No
Powered by
