DFW rules not pushed to VMs due to security cleanup of logical ports in NSX-T
search cancel

DFW rules not pushed to VMs due to security cleanup of logical ports in NSX-T

book

Article ID: 370933

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

  • This issue may impact NSx-T versions up to 4.1.2
  • You may observe in the NSX-T UI that a VM no longer has a Segment/Logical Port
  • You may observe that there is no DFW rules realized on the host for that VM using the below commands:

[root@<ESXI-HostName>~] summarize-dvfilter | grep -A 9 <VM-Name>
 port 67108898 UPSAv2-02.eth0
 vNic slot 2

   name: nic-34829825-eth0-vmware-sfw.2  <<< VM-Filter-Name
   agentName: vmware-sfw
   state: IOChain Attached
   vmState: Attached
   failurePolicy: failClosed
   serviceVMID: 4
   filter source: Dynamic Filter Creation
   moduleName: nsxt-vsip-20737187

[root@<ESXI-HostName>~] vsipioctl getrules -f <VM-Filter-Name>
 No rules.

  • You will see similar logging on the NSx Manager in /var/log/proton

<Year>-<Month>-<Day><Time>  WARN ClusterResourcesCleanupTaskScheduler1 DistributedVirtualSwitchOperationImpl 3353157 FABRIC [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Failed to fetch DistributedVirtualPorts from DistributedVritualSwitch <switch-ID>

<Year>-<Month>-<Day><Time>  INFO ClusterResourcesCleanupTaskScheduler1 DistributedVirtualSwitchOperationImpl 3353157 FABRIC [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Fetched 344 DistributedVirtualPorts from DistributedVritualSwitch: <switch-ID>

<Year>-<Month>-<Day><Time>  INFO ClusterResourcesCleanupTaskScheduler1 LogicalPortCleanupTaskForSecurity 3353157 SWITCHING [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Attemping to delete 2342 stale logical-ports found after vc sync at <unix-timestamp>

<Year>-<Month>-<Day><Time>  INFO ClusterResourcesCleanupTaskScheduler1 LogicalPortCleanupTaskForSecurity 3353157 SWITCHING [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Deleting stale logical-port <Logical-port-ID> as correponding dvport is free in VC


2023-12-10T14:08:49.169Z  INFO ClusterResourcesCleanupTaskScheduler1 LogicalPortServiceImpl 3353157 SWITCHING [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Removing attacher [4157d0a7-20a2-4c39-85fc-69255a90b47b] vmxPath [[VmName.vmx] from logical port [<Logical-port-ID>] 

2023-12-10T14:08:49.170Z  INFO ClusterResourcesCleanupTaskScheduler1 LogicalPortServiceImpl 3353157 SWITCHING [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] DebugLp: Removing attachers : portAttachers [LogicalPortAttachers [logicalPortId=<Logical-Port-ID>, attachers={4157d0a7-20a2-4c39-85fc-69255a90b47b=[[<VM-Name>.vmx]}]], hostId [<HOST-ID], vmxPath [[<VM-Name>.vmx], isEsxVmk [false]

Cause

The vCenter API failure fails to query the DV ports causing the logical port clean task need to run and remove the ports. 

Resolution

Workaround:

  • Reconfigure each affected VM's network card to another segment/port group  and then back to the original segment/port group.

This issue is resolved in future releases of NSX-T.

Powered by Wolken Software