Troubleshooting issues with Service Composer in NSX 6.x
search cancel

Troubleshooting issues with Service Composer in NSX 6.x

book

Article ID: 339115

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

This article provides information on understanding and troubleshooting issues with Service Composer in VMware NSX for vSphere 6.x.
 
For more information, see the Service Composer section in the VMware NSX Data Center for vSphere Administration Guide.
  • Service Composer in VMware NSX for vSphere 6.x goes out of sync.
  • Service Composer fails to push Firewall rule.
  • Sync status is not displayed while creating or editing a security policy.
  • Mapping Trend Service to Data Security in Import wizard fails.

Note: For additional symptoms and log entries, see the Additional Information section.

Environment

VMware NSX for vSphere 6.x

Cause

This issue occurs when:
  • Policy refers to a object which is invalid/deleted
  • User attempts to delete an object referenced in Service Composer.

    Note: You may receive a warning indicating that the configuration referencing this object may become invalid. You can choose to force delete the object.

    The referenced objects can be:

    • Security Group
    • Service / Service Group
    • Service Profiles

Resolution

To troubleshoot this issue, verify the NSX Manager logs and grep for the string Marking Service Composer Firewall configuration as out of sync. This string is always attached to the Exception log, which causes the Service Composer to go out of sync and you see an exception similar to:

2015-05-11 09:19:29.675 EST ERROR TaskFrameworkExecutor-11 FirewallConfigurationSyncService:290 - Update operation for SG apply has failed. Marking Service Composer Firewall config as out of sync.com.vmware.vshield.vsm.exceptions.ObjectNotFoundException:core-services:202:The requested object : 501d40e1-####-####-############.000 could not be found. Object identifiers are case sensitive.

Note: This exception indicates that Service Composer is out of sync.
 
When the Service Composer is out of sync, it stops pushing any more changes to the firewall until a user force synchronizes it with the firewall. Even if it pushes the configuration, the firewall or the guest introspection rejects it.

Service Composer may go out of sync during a Security Group(SG) modify event.

For example:

When a virtual NIC (vNIC) is deleted after the Service Composer prepares a Data Transfer Object (DTO) and send the DTO to the Firewall (and the DTO contained a reference to the deleted virtual NIC). When this DTO is validated by the Firewall, the validation fails and an exception is thrown by Firewall which causes Service Composer to go out of sync and you see entries similar to:

2015-05-05 11:43:49.807 GMT ERROR DCNPool-4 FirewallConfigurationSyncService:399 - Section update operation has failed. Marking Service Composer Firewall config as out of sync.
org.springframework.integration.MessageHandlingException: com.vmware.vshield.vsm.exceptions.ObjectNotFoundException:
core-services:202:The requested object : securitygroup-98 could not be found. Object identifiers are case sensitive.

Where a Security Group with object ID securitygroup-98 was not found while performing section update operation.
To resolve the issue, you must investigate and determine the configuration that has an invalid Security Group referenced and identity if it is a policy definition or firewall.
 
After resolving the invalid policy and firewall rules, you must synchronize the firewall from the Service Composer User interface(UI). For more information, see the Working with Firewall Configurations section in the VMware NSX Data Center for vSphere Administration Guide.



Additional Information

You experience these additional symptoms:

  • When you run the showlog command on the NSX Manager console, you see entries similar to:

    2015-07-30 10:57:19.273 GMT INFO http-nio-127.0.0.1-7441-exec-1 EndpointSecurityActionConverter:277 - DTO received for import : EndpointSecurityActionDto [serviceName=VMware Data Security, serviceId=null, invalidServiceId=false, vendorTemplateName=null, vendorTemplateId=null, invalidVendorTemplateId=false, serviceProfile=BasicDomainObjectInfo [objectId=null, type=null, name=null, description=null, revision=0, objectTypeName=null, vsmUuid=null], invalidServiceProfile=false]
    2015-07-30 10:57:19.368 GMT WARN http-nio-127.0.0.1-7441-exec-1 RemoteInvocationTraceInterceptor:87 - Processing of VsmHttpInvokerServiceExporter remote call resulted in fatal exception: com.vmware.vshield.vsm.policy.facade.SecurityPolicyFacade.importHierarchy
    com.vmware.vshield.blueprint.exception.ImportException: actionable-information:8003:Import failed. Could not find service profile with the name : null

  • In the Service Composer User Interface (UI), you see error similar to:

    Firewall configuration is not in sync since 11/05/2015 09:19.

  • When you run the show log command on the NSX Manager console, you see entries similar to:

    2015-05-11 09:19:29.675 EST ERROR TaskFrameworkExecutor-11 FirewallConfigurationSyncService:290 -
    Update operation for SG apply has failed. Marking Service Composer Firewall config as out of sync.
    com.vmware.vshield.vsm.exceptions.ObjectNotFoundException:
    core-services:202:The requested object : 501d40e1-####-####-############.000 could not be found.
    Object identifiers are case sensitive.

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Collecting diagnostic information for VMware NSX for vSphere 6.x (318901)

Powered by Wolken Software