Distributed Firewall rules created and deleted from Policy UI in default sections persist in Manager UI
search cancel

Distributed Firewall rules created and deleted from Policy UI in default sections persist in Manager UI

book

Article ID: 330430

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
A Distributed Firewall matching the below criteria may be affected by this issue:
  • The rule was created using Policy UI in a Default Section.
  • The rule was deleted using Policy UI.
  • The rule remains in the same section of the Manager UI.
  • The rule remains applied to the relevant DVFilters (VM vNICs).
If the rule created in Policy UI used a grouping object that is then deleted:
  • The remaining rule in Manager UI becomes invalid.
  • The Policy UI fails to publish the Distributed Firewall.
  • The Policy UI shows an error with a grouping object that you don't see being used.
  • The Manager UI allows to see the culprit rule(s) containing the deleted grouping object.
  • NSX-T Manager logs, seen with command get log-file syslog, contain the messages similar to:
2020-01-01T01:01:01.000Z nsxmanager1.local NSX 16020 DISTRIBUTED-SERVICES [nsx@6876 comp="nsx-manager" errorCode="MP600" level="ERROR" reqId="aaaaaaaa-bbbb-cccc-1111-000000000000" subcomp="manager" username="nsx_policy"] Identifier : NSGroup/6abcdefgh-1234-ijkl-5678-mnopqrstuvwx not found for key NSGroup
2020-01-01T01:01:01.000Z nsxmanager1.local NSX 16569 POLICY [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="policy"] Error occurred while realizing section /infra/domains/default/security-policies/default-layer2-section

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX-T Data Center

Cause

Upon deletion of rules from default section using the Policy UI, the rules existing in Manager UI are retained because the Manager UI cannot distinguish Manager and Policy rules.

Resolution

Fix in NSX-T 3.0.2

Workaround:
  • To identify and clear stale rulesĀ (that were deleted from Policy UI), you can access the Manager UI and deleteĀ the culprit rules.
  • To prevent this issue from occurring, don't use the default section from Policy UI, create a separate section instead.


Additional Information

Impact/Risks:
This issue may result in unwanted Firewall rules to exist on VM vNICs, and/or fail the publication of new Policy rules.