Distributed Firewall Rules Stuck in Publishing
Article ID: 341256
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
NSX Distributed Firewall publishing is stuck in progress, does not complete.
On the NSX Manager logs you will see entries similar to the following:
Relevant log location:
vsm.log
2019-04-16 22:05:59.586 IDT ERROR TaskFrameworkExecutor-10 FirewallMessagingManager:179 - - [nsxv@6876 comp="nsx-manager" errorCode="MP100" subcomp="manager"] Exception while publishing rule set to cluster: domain-c13.
java.lang.NullPointerException: null
2019-02-13 15:36:52.077 CST ERROR DCNPool-7 VimNotificationHandler:243 - - [nsxv@6876 comp="nsx-manager" errorCode="MP202" subcomp="manager"] Cluster for VM vm-102025 could not be found
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
NSX Distributed Firewall publishing is stuck in progress, does not complete.
On the NSX Manager logs you will see entries similar to the following:
Relevant log location:
vsm.log
2019-04-16 22:05:59.586 IDT ERROR TaskFrameworkExecutor-10 FirewallMessagingManager:179 - - [nsxv@6876 comp="nsx-manager" errorCode="MP100" subcomp="manager"] Exception while publishing rule set to cluster: domain-c13.
java.lang.NullPointerException: null
2019-02-13 15:36:52.077 CST ERROR DCNPool-7 VimNotificationHandler:243 - - [nsxv@6876 comp="nsx-manager" errorCode="MP202" subcomp="manager"] Cluster for VM vm-102025 could not be found
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.4.x
Cause
VMs created on versions of vCenter Sevrer prior to 6.0.0 have a different path variable set than on later versions. The NSX Manager holds this path in the database.
If this path variable is not updated through vMotion of the VM or moving the VM between resource pools it can cause the publishing on the DFW to stall indefinitely when the VMs are used as the applied to field in the rule.
If this path variable is not updated through vMotion of the VM or moving the VM between resource pools it can cause the publishing on the DFW to stall indefinitely when the VMs are used as the applied to field in the rule.
Resolution
This is a known issue affecting VMware NSX for vSphere 6.2.x, 6.3.x and 6.4.x.
This is resolved in NSX for vSphere version 6.4.5.
Workaround:
To workaround this issue:
1. Create a temporary folder on the vCenter to which the NSX Manager is registered.
2. Move the Datacenter into the temporary folder and allow the vCenter object paths to update. Wait 15-20 minutes.
3. Move the Datacenter back out of the temporary folder.
4. Delete the temporary folder.
This action should update the paths on all of the vCenter Objects and allow the DFW publishing to complete.
This is resolved in NSX for vSphere version 6.4.5.
Workaround:
To workaround this issue:
1. Create a temporary folder on the vCenter to which the NSX Manager is registered.
2. Move the Datacenter into the temporary folder and allow the vCenter object paths to update. Wait 15-20 minutes.
3. Move the Datacenter back out of the temporary folder.
4. Delete the temporary folder.
This action should update the paths on all of the vCenter Objects and allow the DFW publishing to complete.
Additional Information
Impact/Risks:
Unable to publish firewall rules
Unable to publish firewall rules
Feedback
Yes
No
Powered by
