The LB application rule with the SNI keyword inside fails in NSX for vSphere 6.4.6
search cancel

The LB application rule with the SNI keyword inside fails in NSX for vSphere 6.4.6

book

Article ID: 336536

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

During an upgrade to NSX for vSphere 6.4.6 with an sni related rule or when you are creating or configuring a new sni related rule in this version, you experience these symptoms:

  • The upgrade fails.
  • The creation or the configuration of the related rule fails.

Environment

VMware NSX for vSphere 6.4.x

Cause

This issue occurs because the sni rule with the keywords: req_ssl_sni, req.ssl_sni, ssl_fc_sni, ssl_fc_has_sni, are broken in NSX for vSphere 6.4.6.

The regular expression used to support LB application rule sni expression in 6.4.6, is not strict enough.

Resolution

This issue is resolved in VMware NSX Data Center for vSphere 6.4.7, available at Broadcom Downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

To workaround this issue:

  1. Log in to the NSX Edge as root.
  2. Change the line 879 in /opt/vmware/vshield/Plugins/features/lb/lb.pm as:
     
    879 @indexes = grep { $script->[$_] =~ /^sni +.+/ } 0..$#$script;