Service insertion critical alarm triggers for certain transport nodes.
Article ID: 329373
Updated On:
Products
Issue/Introduction
This KB is added to the alarm notification to help resolve service insertion infra issue.
In the NSX-T manager UI under: Home, Alarms, there is a Critical alert for:
Feature: Service Insertion
Event type: Service Insertion Infrastructure Status Down
Description: SPF not enabled at port level on host ########-####-####-####-########### and the status is down. Reason: Missing spf port or incorrect host switch config.
Recommended Action: Perform any corrective action from the KB and check if the status is up.
Reported by Node: <node>
OR
Feature: Service Insertion
Event type: Service Insertion Infrastructure Status Down
Description: SPF not enabled at port level on host ########-####-####-####-########### and the status is down. Reason: Incorrect host switch config or missing key component.
Recommended Action: Perform any corrective action from the KB and check if the status is up.
Reported by Node: <node>
There are two possible runtime details:
- Reason: Incorrect host switch config or missing key component
- Reason: Traffic failed to redirect to service due to service insertion infra down
Environment
Cause
1. Unsupported transport zone or host switch configuration.
2. Issue with SPF port management, see diagnosis at VM NIC disconnect resulting from vMotion from ESXi TN to ESXi TN.
Resolution
Step 1:
Check the nsx-t configuration for the host reported by the alarm.
Navigate to:
Security -> Network Introspection -> Service Segment, find the transport zone of the service segment.
Navigate to:
System -> Fabric -> Nodes, select the host reported by alarm, only one host switch can be present, and the host switch should have the transport zone that the service segment is on.
E/W Service insertion only supports traffic redirection on one host switch, if more than one is configured, the VM on other switch will not be able to redirect to third party services and will trigger this alarm.
If the workload on that transport node doesn't need service insertion, users can create an exclude list in Security - > EW Network Introspection -> Action -> Exclude List to exclude all the VMs on that host.
If service insertion is needed, fix the transport zone and host switch configuration to a service insertion supported configuration.
Step 2:
See resolution and workaround at VM NIC disconnect resulting from vMotion from ESXi TN to ESXi TN .
Note: Regardless of this alarm, regular traffic that doesn't hit service insertion policy wouldn't be affected.
Reason A means that VM is on an invalid host switch.
Reason B means there is a configured service insertion policy for VMs on invalid host switches and when real traffic hits that policy, the traffic would apply failure policy in this case.
After resolving the issue, navigate to: Home > Alarms, manually resolve this alarm.
Additional Information
- East-West Network Introspection is applied to an entire NSX deployment.
- Irrespective of the type of deployment, service VMs can be accessed by all East-West Network Introspection workloads. For example, a workload running on cluster A can use a service VM running on cluster B if there is no better alternative. So, picking a cluster-based deployment does not limit East-West Network Introspection to that cluster.
- Whenever Service Insertion is applied to traffic on an interface backed by an VDS switch that does not back the service segment, NSX raises alarms to signal that Service Insertion cannot work correctly to redirect traffic.
Feedback
