VM fails to add in Dynamic Security Groups
search cancel

VM fails to add in Dynamic Security Groups


Article ID: 341247


Updated On:


VMware NSX Networking


  • When multiple VMs are created or migrated to a different host about the same time, some of the VMs may not get added to NSX dynamic security groups defined in Service Composer even though they match the defined criteria.
  • In the NSX Manager vsm.log file, you see entries similar to:

    ERROR DCNPool-7 AbstractFlushingEventListener:324 - Could not synchronize database state with session org.hibernate.StaleObjectStateException: Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect): [com.vmware.vshield.vsm.dynamicmembership.model.DynamicCriteria#dynamiccriteria-511] at org.hibernate.persister.entity.AbstractEntityPersister.check(AbstractEntityPersister.java:1934) at org.hibernate.persister.entity.AbstractEntityPersister.update(AbstractEntityPersister.java:2578) at org.hibernate.persister.entity.AbstractEntityPersister.updateOrInsert(AbstractEntityPersister.java:2478)

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x


This issue occurs when multiple VMs is added to the same security group(s) at the same time. The opportunistic locking mechanism for some of these VMs trigger due to the changes on the other VMs processing at the same time. As a result, the modification of the security group to add the affected VM is discarded to avoid corrupting the database.


This issue is resolved in VMware NSX for vSphere 6.3.0, available at VMware Downloads.

To work around this issue if you do not want to upgrade:
  • Edit the security group under Service Composer > Security Groups and complete the wizard with no changes.This triggers a re-evaluation of the security group membership.
  • In NSX for vSphere 6.2.2 or earlier versions, vMotion the affected VM to another host, which triggers a re-evaluation of the group membership.

Additional Information

仮想マシンが動的セキュリティ グループに追加と失敗する