Symptoms:
A Distributed Firewall matching the below criteria may be affected by this issue:
- The rule was created using Policy UI in a Default Section.
- The rule was deleted using Policy UI.
- The rule remains in the same section of the Manager UI.
- The rule remains applied to the relevant DVFilters (VM vNICs).
If the rule created in Policy UI used a grouping object that is then deleted:
- The remaining rule in Manager UI becomes invalid.
- The Policy UI fails to publish the Distributed Firewall.
- The Policy UI shows an error with a grouping object that you don't see being used.
- The Manager UI allows to see the culprit rule(s) containing the deleted grouping object.
- NSX-T Manager logs, seen with command get log-file syslog, contain the messages similar to:
2020-01-01T01:01:01.000Z nsxmanager1.local NSX 16020 DISTRIBUTED-SERVICES [nsx@6876 comp="nsx-manager" errorCode="MP600" level="ERROR" reqId="aaaaaaaa-bbbb-cccc-1111-000000000000" subcomp="manager" username="nsx_policy"] Identifier : NSGroup/6abcdefgh-1234-ijkl-5678-mnopqrstuvwx not found for key NSGroup
2020-01-01T01:01:01.000Z nsxmanager1.local NSX 16569 POLICY [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="policy"] Error occurred while realizing section /infra/domains/default/security-policies/default-layer2-section
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.