Group created or updated by API shows Realization Errors
search cancel

Group created or updated by API shows Realization Errors

book

Article ID: 376350

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Group has AD Groups.
  • Group was created or updated by API.
  • Group does not show specified AD Group which exists in Domain Controllers.
    For example: PUT/api/v1/infra/domains/default/groups/{Group-ID}
  • UI shows following error.
    TX ABORT | Snapshot Time = Token(epoch=0, sequence=<SEQUENCE_NUMBER>) | Failed Transaction ID = <TRANSACTION_ID> | Offending Address = -1 | Conflict Key = 00 | Conflict Stream = <STREAM_UUID> | Cause = UNDEFINED | Time = <MILLISECOND> ms | Message = null
  • /var/log/proton/nsxapi.log shows following error:
    <TIMESTAMP>  INFO populateRealizedStateTaskExecutor-1-17 ProviderInvocationTask 88022 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] F
    inished ProviderInvocationTask: <TASK_ID> for provider PrefixlistInternalStoreProvider and operation PopulateRealizedState with 42 paths.
    <TIMESTAMP> ERROR providerTaskExecutor-1-48 PolicyProviderUtil 88022 POLICY [nsx@6876 comp="nsx-manager" errorCode="PM500015" level="ERROR" subcomp="manage
    r"] Unexpected exception received during provider invocation.
    org.corfudb.runtime.exceptions.TransactionAbortedException: TX ABORT  | Snapshot Time = Token(epoch=0, sequence=<SEQUENCE_NUMBER>) | Failed Transaction ID = <TRANSACTION_ID> | Offending Address = -1 | Conflict Key = 00 | Conflict Stream = <STREAM_ID> | Cause = UNDEFINED | Time = <MILLISECOND> ms | Message = nul
    l
            at org.corfudb.runtime.object.MVOCorfuCompileProxy.abortTransaction(MVOCorfuCompileProxy.java:215) ~[?:?]

Environment

NSX 4.1

Cause

If there is no entry that matches Distinguished Names (DN) specified in a group, group fails to realize.

Scheduled synchronization is "Sync Delta" and uses Update Sequence Number (USN) to fetch updated LDAP objects from Active Directory Domain Controllers.

There are some scenarios such as rollback on Domain Controllers so that some LDAP objects may not be synchronized by "Sync Delta".

Resolution

  1. Search for LDAP object on Active Directory Domain Controllers with specified DN.
  2. If LDAP object is found on Domain Controllers, try "Sync All" in action bar in System > Identity Firewall AD.

To find DN specified in Group, check GET response and find distinguished_name.

GET /api/v1/infra/domains/default/groups/<GROUP_ID>

Response Example:

{
  "expression" : [ ],
  "extended_expression" : [ {
    "identity_groups" : [ {
      "distinguished_name" : "CN=Users,DC=example,DC=com",
      "domain_base_distinguished_name" : "DC=example,DC=com"
    } ],
    "resource_type" : "IdentityGroupExpression",
    "id" : "<GROUP_ID>",
    "path" : "/infra/domains/default/groups/<GROUP_ID>/identity-group-expressions/<EXPRESSION_ID>",
    "relative_path" : "<RELATIVE_PATH>",
    "parent_path" : "/infra/domains/default/groups/<GROUP_ID>",
    "remote_path" : "",
    "marked_for_delete" : false,
    "overridden" : false,
    "_protection" : "NOT_PROTECTED"
  } ],
  "reference" : false,
  "resource_type" : "Group",
  "id" : "<GROUP_ID>",
  "display_name" : "<GROUP_DISPLAY_NAME>",
  "path" : "/infra/domains/default/groups/<GROUP_ID>",
  "relative_path" : "<GROUP_ID>",
  "parent_path" : "/infra/domains/default",
  "remote_path" : "",
  "unique_id" : "<GROUP_UUID>",
  "realization_id" : "<GROUP_UUID>",
  "owner_id" : "<GROUP_OWNER_UUID>",
  "marked_for_delete" : false,
  "overridden" : false,
  "_create_time" : <CREATE_TIME>,
  "_create_user" : "admin",
  "_last_modified_time" : <LAST_MODIFIED_TIME>,
  "_last_modified_user" : "admin",
  "_system_owned" : false,
  "_protection" : "NOT_PROTECTED",
  "_revision" : 0
}

Powered by Wolken Software