Publishing Distributed Firewall rules fails with error "Unmatched rules found in the configuration"
Article ID: 327304
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
[Error Details: Unmatched rules found in the configuration.]
com.vmware.vshield.app.firewall.exceptions.InvalidValueException: null
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
- Publishing Distributed Firewall rules fails with the following error:
[Error Details: Unmatched rules found in the configuration.]
- In NSX Manager logs, vsm.log contains:
com.vmware.vshield.app.firewall.exceptions.InvalidValueException: null
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x
Cause
When publishing (globally) a Distributed Firewall configuration after a section has been modified, some rules not belonging to the modified section may be incorrectly matched. For example, when modifying section with id 1003, rules from section with id 11003 are also matched). This may cause the publish operation to fail.
Resolution
There is currently no resolution.
Workaround:
Two workarounds are possible:
Workaround:
Two workarounds are possible:
- Publish the modified section, instead of the global configuration.
- Use the filter option to include only the modified rule(s) or section(s), and use the global publish. In comparison to the initial status, the incorrectly matched section is excluded from the publish operation, and will not block it.
Additional Information
Impact/Risks:
Distributed Firewall may fail to publish.
Distributed Firewall may fail to publish.
Feedback
Yes
No
Powered by
