Service insertion critical alarm triggers for certain transport nodes.
search cancel

Service insertion critical alarm triggers for certain transport nodes.

book

Article ID: 329373

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This KB is added to the alarm notification to help resolve service insertion infra issue.

Symptoms:
In the NSX-T manager UI under: Home, Alarms, there is a Critical alert for:

Feature: Service Insertion
Event type: Service Insertion Infrastructure Status Down
Description: SPF not enabled at port level on host c682e65c-####-####-####-########a9c and the status is down. Reason: Missing spf port or incorrect host switch config.
Recommended Action: Perform any corrective action from the KB and check if the status is up.
Reported by Node: <node>

  There are two possible runtime details:
     A. Reason: Incorrect host switch config or missing key component
     B. Reason: Traffic failed to redirect to service due to service insertion infra down

Environment

VMware NSX 4.0.0.1

Cause

1. Unsupported transport zone or host switch configuration. 
2. Issue with SPF port management, see diagnosis at VM NIC disconnect resulting from vMotion from ESXi TN to ESXi TN.

Resolution

For 1, check the nsx-t configuration for the host reported by the alarm.

goto Security -> Network Introspection -> Service Segment, find the transport zone of the service
segment.

 goto System -> Fabric -> Nodes, select the host reported by alarm, only one host switch can be present, and the host switch should have the transport zone that the service segment is on.

EW Service insertion only supports traffic redirection on one host switch, if more than one is configured, the VM on 
other switch will not be able to redirect to third party services and will trigger this alarm.

If the workload on that transport node doesn't need service insertion, users can create an exclude list in Security - > EW Network Introspection -> Action -> Exclude List to exclude all the VMs on that host.

If service insertion is needed, fix the transport zone and host switch configuration to a service insertion supported 
configuration.

For 2, see resolution and workaround at VM NIC disconnect resulting from vMotion from ESXi TN to ESXi TN .
Note that regardless this alarm, regular traffic that doesn't hit service insertion policy wouldn't be affected.

Reason A means that VM is on an invalid host switch.
Reason B means there is a configured service insertion policy for VMs on invalid host switches and when real traffic hits that policy, the traffic would apply failure policy in this case.

After resolving the issue, go to Home -> Alarms, manually resolve this alarm.

Additional Information

Impact/Risks:
NSX 4.0.X versions.