VM fails to add in Dynamic Security Groups
search cancel

VM fails to add in Dynamic Security Groups

book

Article ID: 341247

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • When multiple VMs are created or migrated to a different host about the same time, some of the VMs may not get added to NSX dynamic security groups defined in Service Composer even though they match the defined criteria.
  • In the NSX Manager vsm.log file, you see entries similar to:

    ERROR DCNPool-7 AbstractFlushingEventListener:324 - Could not synchronize database state with session org.hibernate.StaleObjectStateException: Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect): [com.vmware.vshield.vsm.dynamicmembership.model.DynamicCriteria#dynamiccriteria-511] at org.hibernate.persister.entity.AbstractEntityPersister.check(AbstractEntityPersister.java:1934) at org.hibernate.persister.entity.AbstractEntityPersister.update(AbstractEntityPersister.java:2578) at org.hibernate.persister.entity.AbstractEntityPersister.updateOrInsert(AbstractEntityPersister.java:2478)


    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x

Cause

This issue occurs when multiple VMs is added to the same security group(s) at the same time. The opportunistic locking mechanism for some of these VMs trigger due to the changes on the other VMs processing at the same time. As a result, the modification of the security group to add the affected VM is discarded to avoid corrupting the database.

Resolution

This issue is resolved in VMware NSX for vSphere 6.3.0, available at VMware Downloads.

To work around this issue if you do not want to upgrade:
  • Edit the security group under Service Composer > Security Groups and complete the wizard with no changes.This triggers a re-evaluation of the security group membership.
  • In NSX for vSphere 6.2.2 or earlier versions, vMotion the affected VM to another host, which triggers a re-evaluation of the group membership.


Additional Information

仮想マシンが動的セキュリティ グループに追加と失敗する
无法在动态安全组中添加虚拟机