DFW rules in failed state due to time based rules
Article ID: 372043
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
- You have configured a time-based firewall policy in the Distributed Firewall.
- You will observe a similar error in the NSX UI when configuring Distributed Firewall polices and rules.
- You may observe similar logging on the NSX manager in /var/log/syslog.log
2024-07-12T10:16:05.351Z NSX-Manager-01 NSX 4792 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Returning current realization status 'Status = 'ERROR', Message = ''6' transport nodes have reported errors.', TNs = '[TN = '#######-####-####-###-############', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '#######-####-####-###-############', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '#######-####-####-###-############', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '#######-####-####-###-############, Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '#######-####-####-###-############', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'., TN = '#######-####-####-###-############', Status = 'ERROR', Message = '', Errors = '[Error Code = '1102', Error Message = '', Affected Entities = '[]'.]'.]', Pending Changes = '[]'.' for entity 'FirewallSection/#######-####-####-###-############'
- You may observe similar logging on the NSX Manager in /var/log/proton/nsxapi.log
2024-07-12T10:16:05.351Z INFO http-nio-127.0.0.1-7440-exec-48 PolicyRealizedStateFacadeImpl 4715 POLICY [nsx@6876 comp="nsx-manager" level="INFO" reqId="#######-####-####-###-############" subcomp="manager" username="admin"] Publish status for /infra/domains/default/security-policies/new_policy is ERROR
2024-07-12T10:16:06.002Z INFO INTENT-PROCESSOR-CONSOLIDATED-SERVICE-0 ConsolidatedRealizedStateServiceImpl 4715 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Updated consolidated state for intentPath /infra/domains/default/security-policies/new_policy to:ERROR
- You may observe similar logging on the ESXi host in /var/run/syslog.log
2024-07-11T10:16:55.449Z cfgAgent[2104360]: NSX 2104360 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="18209700" level="error" errorCode="LCP01160"] dfw: invalid attribute value TB_ET_ID
2024-07-11T12:36:01.500Z cfgAgent[2104360]: NSX 2104360 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="18209700" level="error" errorCode="LCP01158"] dfw: build DfwCache failed: DFW exception ret code: 67, error: invalid attribute value TB_ET_ID.
OR
2024-07-11T13:37:01.500Z cfgAgent[10253836]: NSX 10253836 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="4C8B9700" level="error" errorCode="LCP01160"] dfw: invalid attribute value TB_ST_ID
2024-07-11T13:37:01.500Z cfgAgent[10253836]: NSX 10253836 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="4C8B9700" level="error" errorCode="LCP01158"] dfw: build DfwCache failed: DFW exception ret code: 67, error: invalid attribute value TB_ST_ID.
- You may observe that the new rules published are not propagated on the affected ESXi hosts and applied to VMs using the below commands
[root@<ESXI-HostName>~] summarize-dvfilter | grep -A 9 <VM-Name>
port 67108898 UPSAv2-02.eth0
vNic slot 2
name: nic-34829825-eth0-vmware-sfw.2 <<< VM-Filter-Name
agentName: vmware-sfw
state: IOChain Attached
vmState: Attached
failurePolicy: failClosed
serviceVMID: 4
filter source: Dynamic Filter Creation
moduleName: nsxt-vsip-20737187
[root@<ESXI-HostName>~] vsipioctl getrules -f <VM-Filter-Name>
NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment.
Environment
VMware NSX Data Center
Cause
- The issue can occur when creating a time-based firewall policy due to the following reasons
- If there is a space before or after the start/end date in the policy. (This space in the date can only happen when creating the time-based firewall policy by using the below API)
- If the date has an invalid year value.
Resolution
Workaround:
Issue 1 - A space before or after the start/end date
- Use the below API command to copy the body of the time profile
- GET policy/api/v1/infra/firewall-schedulers
- Modify the policy using the patch command PATCH /policy/api/v1/infra/firewall-schedulers/<policyName>
- make sure to delete the space in the start and end date in the body that was copied. See example below
{
"start_date": " 08/01/2022 ", << remove the space before and after the date
"end_date": " 05/01/2023 ", << remove the space before and after the date
"timezone": "UTC",
"recurring": true,
"time_interval": [
{
"start_interval": "11:00",
"end_interval": "12:30"
}
],
"resource_type": "PolicyFirewallScheduler",
"id": "test",
"display_name": "test",
"path": "/infra/firewall-schedulers/test",
"relative_path": "test",
"parent_path": "/infra",
"remote_path": "",
"unique_id": "02a251c6-01c1-4c71-839e-43af88be2a79",
"realization_id": "02a251c6-01c1-4c71-839e-43af88be2a79",
"owner_id": "b0545bde-4144-42f2-bd76-d0b6bfea3e6e",
"marked_for_delete": false,
"overridden": false,
"_system_owned": false,
"_create_time": 1721113533314,
"_create_user": "admin",
"_last_modified_time": 1721652794496,
"_last_modified_user": "admin",
"_protection": "NOT_PROTECTED",
Issue 2 - The date has an invalid year value.
- Find the problematic time-based firewall policy in the NSX UI.
- Edit the time window start/end date to the correct year. For example in the above screenshot the start/end date has the incorrect year with 5 digits. To fix the issue, change it to a 4 digit year.
Note: The date in the time-based firewall policy should be in mm/dd/yyyy format.
Feedback
Yes
No
Powered by
