NSX-T DFW sections are intermittently in "Failed" state
search cancel

NSX-T DFW sections are intermittently in "Failed" state

book

Article ID: 330540

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
  • NSX-T 3.2.1 or lower
  • Sections in NSX-T DFW are defined as:

From "<Group A>" To "Not <Group A>" Applied to "<Group A>" Action "<allow/drop/reject>"

  • "<Group A>" is used by a single rule.
  • vmkernel.log on the impacted ESXi host will report errors similar to:

2022-04-29T10:03:28.816Z cpu25:2148329)pfioctl: DIOCADDRULE failed with error 22

2022-04-29T10:03:28.816Z cpu25:2148329)VSIPConversionCreateRuleSet: Cannot insert #358 rule 1432: 22

2022-04-29T10:03:28.816Z cpu25:2148329)pf_rollback_rules: rs_num: 1, anchor: mainrs

2022-04-29T10:03:28.816Z cpu25:2148329)pf_rollback_rules: rs_num: 2, anchor: mainrs

2022-04-29T10:03:28.816Z cpu25:2148329)pf_rollback_rules: rs_num: 4, anchor: mainrs

2022-04-29T10:03:28.816Z cpu25:2148329)pf_rollback_rules: rs_num: 5, anchor: mainrs

2022-04-29T10:03:28.816Z cpu25:2148329)pf_rollback_rules: rs_num: 6, anchor: mainrs


Environment

VMware NSX-T Data Center

Cause

This issue occurs due to filter programming error that occurs during reconfiguration of DFW, and the following conditions are met:
  • A DFW rule contains a group which was only applied to one filter in the DFW,
  • The same rule is applied to a different filter.
  • DFW sections with rules may go to a "Failed" state.

Resolution

This issue will be resolved in future release of NSX-T Data Center.


Workaround:
Known workarounds are:
  • Toggle logging on/off on any existing DFW rule, publish the change, and revert the change.
  • Disable, and publish any existing DFW rule, followed by re-enabling of the rule.
  • Change name of a component in DFW configuration (e.g. rule name), publish the change.