DFW Rule publish operation failed with service profile configuration in existing firewall rules in 6.4.7
search cancel

DFW Rule publish operation failed with service profile configuration in existing firewall rules in 6.4.7

book

Article ID: 332499

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Provided you are meeting these certain conditions, 

  • If you are using Distributed Firewall with rules that contain multiple service profiles starting or ending with port ranges.
  • If you are running NSX-v 6.4.7 (version 6.4.7-16509800 only) build.

Then you observe the following symptoms:

  • Firewall Publish operation fails in NSX UI, when adding or modifying the firewall configuration when the port ranges are overlapping.
  • Firewall rules are not realized on virtual machines where there is not overlapping port ranges between services

​​​

Cause

  • The issue is encountered when a firewall rule is configured with service groups (2 or more) with a combination of port numbers and port ranges with Layer 3, using the same protocol type - TCP or UDP.
  • The first configured service that is shown in the UI is not impacted unless there is an overlapping range.
  • The issue also applies to a Firewall rule with a Service configured with 'Raw Port-Protocol' or a combination of Service name and 'Raw Port-Protocol' in the rule. 


Example 1: Overlapping Port Ranges

Configure Service Name_A: Layer 3, select 'protocol' is TCP (UDP), Source Ports/Destination ports: 2300-6000, 440,443,2100

Configure Service Name_B: Layer 3, select 'protocol' is TCP (UDP), Source Ports/Destination ports: 2300-6000,6443,7447,300-600




On the ESXi host:

This log shows that the Firewall publishing is failing on the ESXi host:
/var/log/vmkernel.log

2020-08-01T00:08:24.797Z cpu0:1068617)VSIPConversionCreateRuleSet: Cannot insert #1 rule 1294: 22
2020-08-01T00:08:24.798Z cpu0:1068617)VSIPConversionCreateRuleSet: Cannot insert #1 rule 1294: 22
2020-08-01T00:08:24.799Z cpu0:1068617)VSIPConversionCreateRuleSet: Cannot insert #1 rule 1294: 22
2020-08-01T00:32:36.979Z cpu0:1068617)VSIPConversionCreateRuleSet: Cannot insert #1 rule 1294: 22

Example 2: Without Overlapping Ranges

This example demonstrates the situation where there are two services. The first one (Name_A) having a port range (1-10) and the second (Name_B) having a port range (100-200) which will be misinterpreted as a list of ports. 
 

Configure Service Name_A: Layer 3, select 'protocol' is TCP (UDP), Source Ports/ Destination ports: 1-10, 5, 20.

Configure Service Name_B: Layer 3, select 'protocol' is TCP (UDP), Source Ports/ Destination ports: 100-200, 500.


The resulting rule on the host will be 1-10, 5, 20, 100, 200, 500. The ports between the range 100-200 (101-199) is not set. 

Resolution

This is a known issue with VMware NSX Data Center for vSphere 6.4.7. The issue is resolved with VMware NSX Data Center for vSphere 6.4.8.

Workaround:
Create firewall rule with only 1 service profile, add additional rules for each additional service profile or raw port-protocol set.

Additional Information

Impact/Risks:
DFW Firewall rule publish operation will fail on all DFW enabled ESXi hosts.

Or

Rules realized on host may have missing service ports without warning/ log message.

Powered by Wolken Software