NSX Edge fails to upgrade in NSX for vSphere 6.4.11
Article ID: 345031
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
2021-08-31 13:37:41 :: ERROR :: C_UTILS :: [73002] [256] failed to update ipsets : ipset v7.6: Error in line 118: Syntax error: IP address or IP/cidr must be specified: 0.6.89.177-0.6.87.182
2021-08-31 13:37:41 :: ERROR :: VseCommandHandler :: Command failed eventually. Error: [C_UTILS][73002][256] failed to update ipsets : ipset v7.6: Error in line 118: Syntax error: IP address or IP/cidr must be specified: 0.6.89.177-0.6.87.182
- Upgrading the NSX Edge fails, after upgrading the environment to NSX for vSphere 6.4.11, with the following error in vsm.log:
2021-08-31 13:37:41 :: ERROR :: C_UTILS :: [73002] [256] failed to update ipsets : ipset v7.6: Error in line 118: Syntax error: IP address or IP/cidr must be specified: 0.6.89.177-0.6.87.182
2021-08-31 13:37:41 :: ERROR :: VseCommandHandler :: Command failed eventually. Error: [C_UTILS][73002][256] failed to update ipsets : ipset v7.6: Error in line 118: Syntax error: IP address or IP/cidr must be specified: 0.6.89.177-0.6.87.182
- Applying any firewall rule that includes port range (i.e. 8000-9000) defined either in source or destination in 6.4.11 will fail to be publish with the following message in the UI:
Environment
VMware NSX for vSphere 6.4.x
Cause
NSX for vSphere 6.4.11 is not handling rules with services containing port ranges as the example below:
Following the upgrade of the ipset package, the wrong parsing method was being used to parse the service and service data, which lead to the kernel rejecting any rule containing a port range. e.g. TCP:8000-9000:any.
Even Edges that don't have IPsets explicitly configured by the User in their Grouping Objects can be affected if they have firewall rules using port ranges.
Following the upgrade of the ipset package, the wrong parsing method was being used to parse the service and service data, which lead to the kernel rejecting any rule containing a port range. e.g. TCP:8000-9000:any.
Even Edges that don't have IPsets explicitly configured by the User in their Grouping Objects can be affected if they have firewall rules using port ranges.
Resolution
This is a known issue affecting VMware NSX for vSphere 6.4.11.
Issue is resolved in 6.4.12.
Workaround:
Avoid using services with port ranges in the firewall rules configuration before upgrading.
Instead, entering a comma-separated list of all port numbers not exceeding 15 entries in one rule would help.
Example below
- Not Supported Configuration (with port range)
sourceport: 8080
value: '1024,1025-1029'
- Supported Configuration (Comma-separated)
sourceport: 8080
value: '1024,1025,1026,1027,1028,1029'
Additional Information
Impact/Risks:
- Upgrade/Redeploy of edges with port range configuration in firewall section fails in NSX-v 6.4.11.
- Unable to configure firewall rules with port range configuration while running NSX-v 6.4.11
Feedback
Yes
No
Powered by
