Updating Policy Security Group with invalid VIF external_id changes groups status to DOWN
Article ID: 336989
Updated On:
Products
VMware NSX
Issue/Introduction
This KB is provide a validated approach to fix such issues.
Symptoms:
A Group with VIF/VM static members is shown as "Failed" on the UI.
If a group is created via API with the below request body, wherein the VM id specified in the "ExternalIDExpression" is not a valid VM id, the group creation API succeeds. But the on UI, the status is shown as "Failed".
Request body:
{
"expression" : [
{
"member_type" : "VirtualMachine",
"external_ids" : [ "invalid-vm-id" ],
"resource_type" : "ExternalIDExpression"
}
],
"resource_type" : "Group",
"id" : "test",
"display_name" : "test"
}
Group on UI
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Symptoms:
A Group with VIF/VM static members is shown as "Failed" on the UI.
If a group is created via API with the below request body, wherein the VM id specified in the "ExternalIDExpression" is not a valid VM id, the group creation API succeeds. But the on UI, the status is shown as "Failed".
Request body:
{
"expression" : [
{
"member_type" : "VirtualMachine",
"external_ids" : [ "invalid-vm-id" ],
"resource_type" : "ExternalIDExpression"
}
],
"resource_type" : "Group",
"id" : "test",
"display_name" : "test"
}
Group on UI
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 2.5.x
VMware NSX-T Data Center 2.5.x
Cause
The reason this issue happens is that when the group gets created, Policy does not have the VM details. Thus the group gets successfully created on Policy, but while creating on the MP, the validation fails, as MP has the list of the valid VM ids.
Resolution
There is no resolution as of now.
Workaround:
From API:
Update the group by explicitly removing the invalid VM/VIF id from the group.
Method: PUT or PATCH
URL: https://<NSX-IP>/policy/api/v1/infra/domains/<domain-id>/groups/<groups-id>
From UI:
1. Open the group from editing
2. Click on the "Compute members" for the group.
3. Without making any changes, click apply.
4. Click save to update the group.
This removes the invalid VM/VIF as UI filters out that particular VM/VIF.
Workaround:
From API:
Update the group by explicitly removing the invalid VM/VIF id from the group.
Method: PUT or PATCH
URL: https://<NSX-IP>/policy/api/v1/infra/domains/<domain-id>/groups/<groups-id>
From UI:
1. Open the group from editing
2. Click on the "Compute members" for the group.
3. Without making any changes, click apply.
4. Click save to update the group.
This removes the invalid VM/VIF as UI filters out that particular VM/VIF.
Additional Information
Impact/Risks:
No impact/Risks.
No impact/Risks.
Feedback
Yes
No
Powered by
