[VMC on AWS] Context Profile Issues during SDDC upgrades
search cancel

[VMC on AWS] Context Profile Issues during SDDC upgrades

book

Article ID: 329930

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

The purpose of this KB is to provide comprehensive information about the identified Context Profile issue in SDDCs. It is designed to inform users, administrators, and support teams about the issue's underlying causes, its impact, and the available solutions. This knowledge base aims to facilitate a better understanding of the problem and guide users toward effective resolution.


Symptoms:

After upgrading SDDCs from 1.18v6 to 1.20v7, a Context Profile issue has been identified which may exist after Phase 2 completes and before Phase 3 begins. This issue causes Distributed Firewall (DFW) rules to incorrectly treat context values as 'none,' resulting in the mismanagement of network traffic. As a consequence, traffic regulated by affected Context Profiles is not being controlled properly. Logs indicate that DFW rules are dropping various types of traffic, and FQDN Context Profiles appear to be ignored.


Cause

This is a known issue recognized by the VMware engineering team that occurs during the SDDC upgrade process. Specifically, the problem arises due to a failure in referencing the Context Profile value within DFW rules. This leads to the incorrect interpretation of context values as 'none,' which in turn leads to the faulty management of network traffic governed by the Context Profiles.

Resolution

While there is currently no direct resolution available for this issue, there is a remedy in progress. The issue is expected to be automatically resolved upon the completion of phase 3 of the SDDC upgrade.

 

Alternatively, affected customers are advised to upgrade to a version that includes the fix, typically 1.20v9 or later.

 

This resolution ensures the proper functioning of DFW rules and the accurate management of network traffic through Context Profiles.


Workaround:

Some affected customers have found a workaround to reduce the problem's impact. This workaround includes moving their Layer 7 (L7) rules to an external firewall in their OnPrem setup. This temporary solution helps users regain control over their network traffic until the main issue is completely resolved.


Additional Information

Impact/Risks:

This known issue results in the improper management of network traffic, causing disruptions in regular network operations. As a result of the DFW rules malfunctioning, traffic that should be subject to Context Profile regulation is not being handled accurately.