"Publishing of ruleset failed" error in Service Composer
search cancel

"Publishing of ruleset failed" error in Service Composer

book

Article ID: 339195

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Upgrade to VMware NSX for vSphere 6.2.4 to resolve the issue.


Symptoms:

An NSX distributed firewall rules policy cannot be published when a third-party partner solution is deleted from the Service Composer User Interface (UI). You see the error similar to:

Publishing of ruleset failed. Please see the tech support logs. The requested object: vm-xxx could not be found. Object identifiers are case sensitive.
 
Note: For additional symptoms and log entries, see the Additional information section.

Environment

VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.1.x

Cause

Resolution

This issue is resolved in VMware NSX for vSphere 6.2.4
 
To work around the issue if you do not want to upgrade, uninstall the partner solution.
 
 
Notes:
  • Ensure that you have basic authorization with the NSX manager web credentials, such as the admin user, or any vCenter Server user granted NSX privileges.
  • Use headers Content-type: application/xml and Accept: application/xml.
  1. Go to Service Composer and remove all rules that use partner solutions.
  2. Delete all the service deployments in the NSX Manager for the partner solution.
  3. Delete the service from the Service Definition tab in NSX Manager.

    If deleting the service from the Service Definition tab fails, this may occur due to orphaned service profile references (manually edited or copied).

    To resolve this issue:

    1. Check the NSX logs for the service-profile-id information.

      For example:

      2016-04-07 12:56:41.150 GMT ERROR http-nio-127.0.0.1-7441-exec-24 ServiceInsertionServiceImpl:742 - VendorTemplate ABC:1946 is being used by 1 ServiceProfiles
      2016-04-07 12:56:41.151 GMT ERROR http-nio-127.0.0.1-7441-exec-24 ServiceInsertionServiceImpl:744 - VendorTemplate ABC:1946 is being used by ServiceProfile McAfee MOVE AV_McAfee Default (copy)-35:serviceprofile-15

    2. Use this REST API call to delete the service-profile:

      DELETE: https://nsxmgr_ip/api/2.0/si/serviceprofile/{serviceprofile-id}

    3. When all the service-profile(s) are deleted, delete the service from the Service Definition tab in NSX Manager.

      Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

  4. Uninstall the partner management console.

Additional Information

You experience these additional symptoms:
  • If a security policy with security groups is linked to a partner solution and that solution is deleted, the service group used in the firewall rule becomes invalid.
  • Subsequent publishing operations fails with this message because Service Composer concludes that a section in the firewall rule table does not exist in its own table:
    This configuration cannot be published
Enhancements in vSphere 6.2.4
 
There are service composer status related enhancements in NSX for vSphere 6.2.4. A system alarm is raised if deletion task is failed. You can attempt to resolve this system alert when the partner appliance is up. In case of permanent loss of partner solution, user can open and edit the Service Manager associated with the service and change its operations state to down/false in the UI. After this, you can attempt to resolve the system alert.