Publishing a firewall rule after configuring layer2RuleOptimize set to FALSE through API fails in NSX-v
Article ID: 336638
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
Symptoms:
After configuring layer2RuleOptimize to FALSE using API https://NSXMGR_IP/api/4.0/firewall/config/globalconfiguration, you see these symptoms:
- Publishing a firewall rule fails.
- In the vsfwd.log file, you see entries similar to:
2018-01-11T00:00:25Z vsfwd: [INFO] Received vsa message of GlobalConfiguration, length 8
2018-01-11T00:00:25Z vsfwd: [INFO] gVsaMsgCount 1
2018-01-11T00:00:25Z vsfwd: [INFO] Processing vsa message of GlobalConfiguration, length 8
2018-01-11T00:00:25Z vsfwd: [INFO] Change global config - L3 rule optimization: on
2018-01-11T00:00:25Z vsfwd: [INFO] Saved global config file /etc/vmware/vsfwd/vsip_global_config.dat
2018-01-11T00:00:25Z vsfwd: [INFO] Applied global config
2018-01-11T00:00:27Z vsfwd: [INFO] Received vsa message of RuleSet, length 1619
2018-01-11T00:00:27Z vsfwd: [INFO] gVsaMsgCount 1
2018-01-11T00:00:27Z vsfwd: [INFO] Processing vsa message of RuleSet, length 1619
2018-01-11T00:00:27Z vsfwd: [INFO] Free existing ruleset config
2018-01-11T00:00:27Z vsfwd: [WARN] ruleset action is not replace: 3
2018-01-11T00:00:27Z vsfwd: [INFO] L2 rule optimization is enabled
2018-01-11T00:00:27Z vsfwd: [INFO] loaded ruleset
2018-01-11T00:00:27Z vsfwd: [INFO] L3 rule optimization is enabled
2018-01-11T00:00:27Z vsfwd: [INFO] Applied shared addrsets of gen number 1515621648594
2018-01-11T00:00:27Z vsfwd: [INFO] Applying firewall config to vnic list on host host-21
2018-01-11T00:00:27Z vsfwd: [INFO] Applied RuleSet 1515621648594 on vnic ########-####-####-####-########4091.000
2018-01-11T00:00:27Z vsfwd: [INFO] Applied RuleSet 1515621648594 on vnic ########-####-####-####-########2029.000
2018-01-11T00:00:27Z vsfwd: [INFO] Applied RuleSet 1515621648594 for all vnics
2018-01-11T00:00:27Z vsfwd: [INFO] Compressed config data from 1619 to 558 bytes
2018-01-11T00:00:27Z vsfwd: [INFO] Successfully saved config to file /etc/vmware/vsfwd/vsipfw_ruleset.dat
2018-01-11T00:00:27Z vsfwd: [INFO] loaded addrset
2018-01-11T00:00:27Z vsfwd: [INFO] Config data of 19 bytes was not compressed
2018-01-11T00:00:27Z vsfwd: [INFO] Successfully saved config to file /etc/vmware/vsfwd/vsipfw_ruleset.dat_update
2018-01-11T00:00:27Z vsfwd: [INFO] cleanup protobuf
2018-01-11T00:00:27Z vsfwd: [INFO] cleanup protobuf
2018-01-11T00:00:27Z vsfwd: [INFO] Sending vsa reply of domain-c19 host host-21: 0
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware NSX-T Data Center for vSphere 6.4.x
Cause
This issue occurs due to the NSX Manager failing to re-publish rule immediately after making a global config change to layer2RuleOptimize through an API call.
Resolution
This issue is resolved in VMware NSX-T Data Center for vSphere 6.4.2.
Workaround:
To work around this issue, perform a force sync. For more information, see the Force Sync Distributed Firewall Rules section of the NSX Administration Guide.
Workaround:
To work around this issue, perform a force sync. For more information, see the Force Sync Distributed Firewall Rules section of the NSX Administration Guide.
Feedback
Yes
No
Powered by
