Re-deployment of Palo Alto NGFW SVMs consumes additional Palo Alto NGFW licenses
search cancel

Re-deployment of Palo Alto NGFW SVMs consumes additional Palo Alto NGFW licenses

book

Article ID: 343347

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
When Palo Alto Next-Gen Firewall(NGFW) SVMs are redeployed from the NSX Manager, you experience these symptoms:

  • Additional Palo Alto licenses are being used.
  • Running show manager log command on the NSX Manager CLI, you see entries similar to:

    2016-03-13 13:37:46.944 EDT INFO DCNPool-1 VdsUrlChangeHandler:103 - change in ovf or vib url detected for deployment unit DeploymentUnit [serviceId=service-7, serviceInstanceId=serviceinstance-1, agencyId=70735a71-5a2b-4767-9c22-8038e6388bb9, fabricStatus=ENABLED, healthStatus=IN_PROGRESS, installedServiceVersion=null, fabricOperationStatus=UPGRADE, objectId=deploymentunit-5, objectType=DeploymentUnit]. Raising an alarm for same
    2016-03-13 13:37:46.946 EDT INFO DCNPool-1 AlarmServiceImpl:142 - raising an alarm for objectid deploymentunit-5 with alarmcode 250008 and target moid domain-c115
    2016-03-13 13:37:46.946 EDT INFO DCNPool-1 SystemEventDaoImpl:133 - [SystemEvent] Time:'Sun Mar 13 13:37:46.944 EDT 2016', Severity:'High', Event Source:'Security Fabric', Code:'250008', Event Message:'Service domain-c115_service-7 will need to be redeployed as the location of the OVF / VIB bundles to be deployed has changed.', Module:'Security Fabric', Universal Object:'false'
     
  • In the eam.log file on the vCenter Server, you see entries similar to:

    eam.log.1:2016-03-13T13:35:36.278-04:00 | INFO | vlsi | AgencyImpl.java | 865 | Updating agency configuration: AgencyImpl(ID:'Agency:70735a71-5a2b-4767-9c22-8038e6388bb9:ea330741-d3c4-40ad-ba71-ce4a84cc39fa')
    eam.log.1:2016-03-13T13:35:36.282-04:00 | DEBUG | vlsi | AgencyImpl.java | 950 | Agent configuration updated for AgencyImpl(ID:'Agency:70735a71-5a2b-4767-9c22-8038e6388bb9:ea330741-d3c4-40ad-ba71-ce4a84cc39fa')

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.0.x

Cause

This issue occurs, if the location of the OVF URL is changed under Networking & Security > Service Definitions > Palo Alto Networks NGFW > Manage > Deployment. This configuration must match the configuration under Panorama > VMware Service Manager as the service definition is managed from Panorama.
 
The Service Profile should not be modified directly in the vSphere Web Client, but should be managed through panorama only. Changes on Panorama will update the service definition in NSX. When the OVF location is changed, it will trigger a redeployment of all the SVMs to match the OVF.
 

Resolution

To resolve this issue:
  1. Update the OVF URL configuration under Panorama > VMware Service Manager. The status will change to Registered after the update.
     
  2. Log in to vSphere Web client.
     
  3. In the NSX home page, go to Installation > Service Deployments where Installation Status will show as Failed.

    If you click on the Failed icon, you see error similar to:

    Service domain will need to be redeployed as the location of the OVF bundles to be deployed has changed.
     
  4. Click on Resolve button to initiate the upgrade process.

    The upgrade will trigger NSX to perform these actions:
    • Deletion of existing Palo Alto NGFW SVM.
    • Deployment of new Palo Alto NGFW SVM.
    • The new Palo Alto NGFW SVM retrieves its license and gets a serial number from Panorama.
    • Palo Alto NGFW SVM reboots to finalize the process.
Powered by Wolken Software