Publishing IDFW rules created under the Ethernet tab of the NSX Firewall fails in NSX for vSphere
search cancel

Publishing IDFW rules created under the Ethernet tab of the NSX Firewall fails in NSX for vSphere

book

Article ID: 339235

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Publishing of Firewall rule under the Ethernet tab of the DFW fails when the IDFW Security Group is used in the Source or Destination field of the rule.

    Error noticed:

    Failed to publish firewall configuration version ###### to cluster domain-##. Refer logs for details.

    Note: This is visible under NSX Manager > Monitor > System Events and not on the DFW UI.

  • The 'Firewall Publish Status' under the Service Composer page displays 'Publish in progress', and this status changes back to Green once the newly created firewall rule, under the Ethernet tab, is deleted.

  • The NSX Manager logs contains messages similar to:

    2017-06-15 05:47:29.269 GMT+00:00 INFO TaskFrameworkExecutor-18 EventHelper:144 - SysEvent-Detailed-Message :(Kept only in logs) :: com.vmware.vshield.vsm.exceptions.OperationNotPermittedException: core-services:204:This operations is not permitted.
    2017-06-15 05:47:29.273 GMT+00:00 INFO TaskFrameworkExecutor-18 SystemEventDaoImpl:134 - [SystemEvent] Time:'Thu Jun 15 05:47:29.269 GMT+00:00 2017', Severity:'Critical', Event Source:'domain-##', Code:'301503', Event Message:'Failed to publish firewall configuration version ###### to cluster domain-##. Refer logs for details.', Module:'vShield Firewall', Universal Object:'false'
    2017-06-15 05:47:29.290 GMT+00:00 ERROR TaskFrameworkExecutor-18 SimpleTaskManager:126 - Error during publish Task AppNotificationHandler.
    org.springframework.transaction.TransactionSystemException: Could not commit JPA transaction; nested exception is javax.persistence.RollbackException: Transaction marked as rollbackOnly
    at org.springframework.orm.jpa.JpaTransactionManager.doCommit(JpaTransactionManager.java:523)

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x

Resolution

This is an expected behaviour in VMware NSX for vSphere 6.2.x and 6.3.x.

Publishing the IDFW rules under the Ethernet tab of the Firewall is not supported because the IDFW translations are IP based and not MAC based.

Powered by Wolken Software