NSX DFW sections in an unknown/In Progress state during the v2T migration
search cancel

NSX DFW sections in an unknown/In Progress state during the v2T migration

book

Article ID: 345844

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware NSX VMware NSX-T Data Center

Issue/Introduction

  • In the NSX GUI (Security > Distributed Firewall > All Rules > Actions > General Firewall Settings) the status of "Distributed Services status" shows enabled. But all the firewall sections show Unknown/In progress.
  • Environment was migrated from NSX-v to NSX-T
  • Below similar entries will be seen in the /var/log/migration-coordinator/cm.log file:


    2022-07-24 17:15:50,878 17694 CM.clients.base_client DEBUG API tracker: REQUEST method=PUT, url= http://localhost:7440/nsxapi/api/v1/firewall/status/transport_nodes, non-session-headers=None, params=None, data={"context": "transport_nodes", "global_status": "DISABLED", "resource_type": "FirewallStatus", "id": "663725d0-####-####-####-1c187c5c3697", "display_name": "663725d0-####-####-####-1c187c5c3697", "_create_user": "system", "_create_time": 1663171586118, "_last_modified_user": "system", "_last_modified_time": 1663171586118, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0, "tags": [{"scope": "v_origin", "tag": "DFW-DFW Status"}]}

    2022-09-18 06:12:50,903 17694 CM.clients.base_client DEBUG API tracker: RESPONSE status=200, text={

       "context" : "transport_nodes",
       "global_status" : "DISABLED", <<<<<<<<<<<<<<<<<<<<<<
       "resource_type" : "FirewallStatus",
       "id" : "663725d0-####-####-####-1c187c5c3697",
       "display_name" : "663725d0-####-####-####-1c187c5c3697",
       "tags" : [ {
         "scope" : "v_origin",
         "tag" : "DFW-DFW Status"
       } ],
       "_create_user" : "system",
       "_create_time" : 1663171586118,
       "_last_modified_user" : "admin",
       "_last_modified_time" : 1662572891, 
       "_system_owned" : false,
       "_protection" : "NOT_PROTECTED",
       "_revision" : 1
     }

  • When execute run less /var/log/migration-coordinator/v2t/nsxv-config/nwfabric.status.alleligible.clusters | grep '"featureId": "com.vmware.vshield.firewall"' -B 1 -A 4, below similar entries will be seen:

                            "enabled": "true",
                            "featureId": "com.vmware.vshield.firewall",
                            "installed": "false",
                            "status": "UNKNOWN", <<<<<<<<<
                            "updateAvailable": "false"
                        },
    --
                            "enabled": "true",
                            "featureId": "com.vmware.vshield.firewall",
                            "installed": "false",
                            "status": "UNKNOWN", <<<<<<<<<<<<<
                            "updateAvailable": "false"
                        },

Environment

VMware NSX-T Data Center
VMware NSX

Cause

During an NSX-V to NSX-T migration, if all the NSX-V clusters are in an Unknown state, the migration coordinator would disable the NSX-T firewall for the "transport_nodes" context. In other words, DFW rules would not be pushed to the ESXi Transport nodes.

Resolution

This issue is resolved in VMware NSX 3.2.4
This issue is resolved in VMware NSX 4.2.0

Workaround:

Toggle(Disable and re-enable) the NSX-T status in the NSX GUI (Security > Distributed Firewall > All Rules > Actions > General Firewall Settings)

Additional Information

Impact/Risks:

DFW rules will not apply to the workload VMs.

 

Powered by Wolken Software