NSX Time-Based Policy status unknown - Error Code = '1001'
search cancel

NSX Time-Based Policy status unknown - Error Code = '1001'

book

Article ID: 345422

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Time-based policy realization failure.
  • The NSX firewall status is unknown, and the error message is the following. 
    "[Error Code = '1001', Error Message = ' NTP Service is not up', Affected Entities = '[]'.]"
  • ESXi /var/run/log/nsx-syslog.log shows the following error. 
    2023-02-02T07:05:19.343Z cfgAgent[2101387]: NSX 2101387 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="915AB700" level="error" errorCode="LCP01163"] dfw: Invalid ntp config command output err:0
    2023-02-02T07:06:48.368Z cfgAgent[2101387]: NSX 2101387 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="915AB700" level="error"] vsipfw: VsipFWUtil.cpp:RunCommandWithTimeout():3242 Kill stuck child process /bin/check_ntp_cfg.sh
  • NTP (ntpq -p) command is taking more than 30 seconds to show the output. 

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX

Cause

  • NTP resolution takes more than 30 seconds from the host.
  • DFW uses ntpq -p command to check the NTP status for Time-Based Policy, and the timeout is 30 seconds. 

Resolution

This is a known issue impacting VMware NSX.

Workaround:

  • Log in to each host via SSH. 
  • On each host, edit the file /etc/vmware/nsx/nsx-cfgagent.xml using the vi editor and changing the skip_ntp_check to true.
  • And stop and start the nsx-cfgagent service.  
    /etc/init.d/nsx-cfgagent stop
    /etc/init.d/nsx-cfgagent start
Powered by Wolken Software