DFW Rule publish operation failed with service profile configuration in existing firewall rules in 6.4.7
Article ID: 332499
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
Provided you are meeting these certain conditions,
Provided you are meeting these certain conditions,
- If you are using Distributed Firewall with rules that contain multiple service profiles starting or ending with port ranges.
- If you are running NSX-v 6.4.7 (version 6.4.7-16509800 only) build.
- Firewall Publish operation fails in NSX UI, when adding or modifying the firewall configuration when the port ranges are overlapping.
- Firewall rules are not realized on virtual machines where there is not overlapping port ranges between services
Cause
- The issue is encountered when a firewall rule is configured with service groups (2 or more) with a combination of port numbers and port ranges with Layer 3, using the same protocol type - TCP or UDP.
- The first configured service that is shown in the UI is not impacted unless there is an overlapping range.
- The issue also applies to a Firewall rule with a Service configured with 'Raw Port-Protocol' or a combination of Service name and 'Raw Port-Protocol' in the rule.
Example 1: Overlapping Port Ranges
Configure Service Name_A: Layer 3, select 'protocol' is TCP (UDP), Source Ports/Destination ports: 2300-6000, 440,443,2100
Configure Service Name_B: Layer 3, select 'protocol' is TCP (UDP), Source Ports/Destination ports: 2300-6000,6443,7447,300-600
Configure Service Name_B: Layer 3, select 'protocol' is TCP (UDP), Source Ports/Destination ports: 2300-6000,6443,7447,300-600
On the ESXi host:
This log shows that the Firewall publishing is failing on the ESXi host:
/var/log/vmkernel.log
2020-08-01T00:08:24.797Z cpu0:1068617)VSIPConversionCreateRuleSet: Cannot insert #1 rule 1294: 22
2020-08-01T00:08:24.798Z cpu0:1068617)VSIPConversionCreateRuleSet: Cannot insert #1 rule 1294: 22
2020-08-01T00:08:24.799Z cpu0:1068617)VSIPConversionCreateRuleSet: Cannot insert #1 rule 1294: 22
2020-08-01T00:32:36.979Z cpu0:1068617)VSIPConversionCreateRuleSet: Cannot insert #1 rule 1294: 22
Example 2: Without Overlapping Ranges
This example demonstrates the situation where there are two services. The first one (Name_A) having a port range (1-10) and the second (Name_B) having a port range (100-200) which will be misinterpreted as a list of ports.
Configure Service Name_A: Layer 3, select 'protocol' is TCP (UDP), Source Ports/ Destination ports: 1-10, 5, 20.
Configure Service Name_B: Layer 3, select 'protocol' is TCP (UDP), Source Ports/ Destination ports: 100-200, 500.
Configure Service Name_B: Layer 3, select 'protocol' is TCP (UDP), Source Ports/ Destination ports: 100-200, 500.
The resulting rule on the host will be 1-10, 5, 20, 100, 200, 500. The ports between the range 100-200 (101-199) is not set.
Resolution
This is a known issue with VMware NSX Data Center for vSphere 6.4.7. The issue is resolved with VMware NSX Data Center for vSphere 6.4.8.
Workaround:
Create firewall rule with only 1 service profile, add additional rules for each additional service profile or raw port-protocol set.
Workaround:
Create firewall rule with only 1 service profile, add additional rules for each additional service profile or raw port-protocol set.
Additional Information
Impact/Risks:
DFW Firewall rule publish operation will fail on all DFW enabled ESXi hosts.
Or
Rules realized on host may have missing service ports without warning/ log message.
DFW Firewall rule publish operation will fail on all DFW enabled ESXi hosts.
Or
Rules realized on host may have missing service ports without warning/ log message.
Feedback
Yes
No
Powered by
