DFW rules in failed state due to time based rules
search cancel

DFW rules in failed state due to time based rules

book

Article ID: 372043

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

  • You have configured a time based policy in the Distributed Firewall.
    • You have configured this policy using an API.
  • You will observe a similar error in the NSX-T UI when configuring Distributed Firewall polices and rules.

  • You may observe similar logging on the NSX-T manager in /var/log/syslog.log

2024-07-12T10:16:05.351Z NSX-Manager-01 NSX 4792 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Returning current realization status 'Status = 'ERROR', Message = ''6' transport nodes have reported errors.', TNs = '[TN = '4d1b0e0c-48e6-451c-a2d7-c59eb7d74301', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '508336b5-42df-42fd-b819-08d997830983', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '35877f49-bf9c-419b-9e8d-d87ec895169b', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = 'b3b2ba73-b990-4c2f-b470-9b9bef0a8ce1', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '214008cb-b4af-4485-9e7b-51bf91fdf617', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '5d693a51-e6b8-41df-8aa7-a21eb94c6559', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'.]', Pending Changes = '[]'.' for entity 'FirewallSection/7fbddd80-102f-4613-861d-a7f66830a41b'

  • You may observe similar logging on the NSX_T Manager in /var/log/proton/nsxapi.log


2024-07-12T10:16:05.351Z  INFO http-nio-127.0.0.1-7440-exec-48 PolicyRealizedStateFacadeImpl 4715 POLICY [nsx@6876 comp="nsx-manager" level="INFO" reqId="1a923331-ae94-4401-a8de-4626aba96308" subcomp="manager" username="admin"] Publish status for /infra/domains/default/security-policies/new_policy is ERROR

2024-07-12T10:16:06.002Z  INFO INTENT-PROCESSOR-CONSOLIDATED-SERVICE-0 ConsolidatedRealizedStateServiceImpl 4715 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Updated consolidated state for intentPath /infra/domains/default/security-policies/new_policy to:ERROR

  • You may observe similar logging on the ESXi host in  /var/run/syslog.log

2024-07-11T10:16:55.449Z cfgAgent[2104360]: NSX 2104360 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="18209700" level="error" errorCode="LCP01160"] dfw:  invalid attribute value TB_ET_ID

2024-07-11T12:36:01.500Z cfgAgent[2104360]: NSX 2104360 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="18209700" level="error" errorCode="LCP01158"] dfw: build DfwCache failed: DFW exception ret code: 67, error: invalid attribute value TB_ET_ID.

  • You may observe similar that the new rules published are not propagated on the affected ESXi host and applied to VMs using the below commands

[root@<ESXI-HostName>~] summarize-dvfilter | grep -A 9 <VM-Name>
 port 67108898 UPSAv2-02.eth0
 vNic slot 2

   name: nic-34829825-eth0-vmware-sfw.2  <<< VM-Filter-Name
   agentName: vmware-sfw
   state: IOChain Attached
   vmState: Attached
   failurePolicy: failClosed
   serviceVMID: 4
   filter source: Dynamic Filter Creation
   moduleName: nsxt-vsip-20737187

[root@<ESXI-HostName>~] vsipioctl getrules -f <VM-Filter-Name>

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment

 

 

 

Environment

VMware NSX-T Data Center

Cause

  • The issue occurs if there is a space before or after the date when creating the policy, causing an internal error on the firewall due to invalid attribute in the time policy.
  • This space in the date can only happen when creating the time policy by using the below API:

PUT /policy/api/v1/infra/firewall-schedulers/{firewall-scheduler-id}

 

 

 

 

Resolution

Workaround:

  • Use the below API command to copy the body of the time profile
    • GET policy/api/v1/infra/firewall-schedulers
  • Modify the policy using the patch command PATCH /policy/api/v1/infra/firewall-schedulers/<policyName>
    • make sure to delete the space in the start and end date in the body that was copied. See example below
{
    "start_date"" 08/01/2022 ", << remove the space before and after the date
    "end_date"" 05/01/2023 ", << remove the space before and after the date
    "timezone""UTC",
    "recurring"true,
    "time_interval": [
        {
            "start_interval""11:00",
            "end_interval""12:30"
        }
    ],
    "resource_type""PolicyFirewallScheduler",
    "id""test",
    "display_name""test",
    "path""/infra/firewall-schedulers/test",
    "relative_path""test",
    "parent_path""/infra",
    "remote_path""",
    "unique_id""02a251c6-01c1-4c71-839e-43af88be2a79",
    "realization_id""02a251c6-01c1-4c71-839e-43af88be2a79",
    "owner_id""b0545bde-4144-42f2-bd76-d0b6bfea3e6e",
    "marked_for_delete"false,
    "overridden"false,
    "_system_owned"false,
    "_create_time"1721113533314,
    "_create_user""admin",
    "_last_modified_time"1721652794496,
    "_last_modified_user""admin",
    "_protection""NOT_PROTECTED",

Powered by Wolken Software