Alarm for gateway_firewall.sr_limit_per_edge

search cancel

Alarm for gateway_firewall.sr_limit_per_edge_exceeded

book

Article ID: 369480

calendar_today

Updated On:

Products

VMware NSX Firewall VMware vDefend Firewall

Issue/Introduction

Event ID: gateway_firewall.sr_limit_per_edge_exceeded

Added in release: 4.2.1

Alarm Description:

Purpose: The number of Tier-0/Tier-1 Logical Routers or bridges with Gateway Firewall feature enabled with non zero rules on edge has exceeded the maximum limit.
Impact : Dataplane functions may be impacted due to high scale. Increased time for configuration to get realized.

Environment

VMware NSX 4.2.1 and above

Cause

There are more Tier-0 or Tier-1 gateways configured than the Edge Form Factor maximum.

Note: For optimal performance and throughput, it is recommended to follow the guidelines below based on NSX 4.2.1 Configuration Limits.

Edge Form Factor	Max number of Gateway Firewalls	Description
Medium	5	Deployed either as T0, T1 or Bridge mode on the same edge node. Note: TLS Inspection or Advanced Threat Prevention (ATP) features cannot be enabled on Gateway Firewalls deployed on a Medium Edge node.
Large or Extra Large	100	Can be a combination of either T0, T1, or Bridges. Note: Only 10 Gateway Firewalls can be deployed per Large Edge Node with Advanced Threat Prevention (ATP) features activated.
Baremetal	100	Can be a combination of either T0, T1, or Bridges. Note: Only 25 Gateway Firewalls can be deployed per Baremetal Edge Node with Advanced Threat Prevention (ATP) features activated.

Resolution

Reduce the number of gateways configured on the edge node. Map additional gateways to a new edge in the cluster. See KB 411953 for more details

WORKAROUND:

Navigate in NSX-t UI to 'Security -> Gateway firewall -> Settings -> Gateways specific Settings'

Disable the Gateway Firewall feature on the Tier-0/Tier-1 Gateway or Bridge if only the System Default rules are present and no user-defined rules are configured.

Additional Information

If you are running Medium size edge node and if Disabling the Gateway Firewall is not an option resize the edge node to Large or Extra Large.

Resize NSX Edge Node

Related KBs:

Service Router Limit Per Edge Exceeded alarm is generated when support limit is not reached in NSX 4.2.1.X.

Service Router Limit Per Edge Exceeded - Critical Alert: "The number of T0/T1 Service routers ... has exceeded the maximum threshold of 98%"

Feedback

thumb_up Yes

thumb_down No