DFW Rules failed status due to a "Custom URL" used in a context profile in DFW
search cancel

DFW Rules failed status due to a "Custom URL" used in a context profile in DFW

book

Article ID: 380320

calendar_today

Updated On:

Products

VMware NSX Firewall VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Multiple DFW rules in NSX show a failed status.

Error Code = '1000', Error Message = 'Invalid distributed firewall rule received.', Affected Entities = '[]'.

 

-Logs will have "Bad container" error messages around the time of the DFW publish:

 

ESXi logs /var/run/log/nsx-syslog.log

2024-10-17T21:38:10.076Z In(182) cfgAgent[2099469]: NSX 2099469 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="AD26E700" level="info"] dfw: Update runtime status to nestdb (error, meta info): 1000,
  Bad container: c9778a69-37d2-4f48-8234-c1584468c409
2024-10-17T21:38:10.076Z In(182) cfgAgent[2099469]: NSX 2099469 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="AD26E700" level="info"] dfw: validate DfwMsgCache failed
2024-10-17T21:38:10.076Z In(182) cfgAgent[2099469]: NSX 2099469 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="AD26E700" level="info"] NestdbClient: Get processed barrier update when main vdb is 1,
 caching for verticalId 1, barrierNum 324355.
2024-10-17T21:38:10.076Z Er(179) cfgAgent[2099469]: NSX 2099469 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="AD26E700" level="error" errorCode="LCP01155"] dfw: Failed to process request

 

NSX Manager logs /var/log/proton/nsxapi.log

2024-10-21T17:51:04.942Z <NSX Manager FQDN> NSX 4548 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Returning current realization status 'Status = 'ERROR', Message = ''3' transport nodes have reported errors.', TNs = '[TN = '4b61468f-60de-45da-9e4f-c20bdab2b06c', Status = 'ERROR', Message = '', Errors = '[Error Code = '1000', Error Message = ' Bad container: c9778a69-37d2-4f48-8234-c1584468c409', Affected Entities = '[]'.]'., TN = 'bfe19862-2765-484a-b39c-7e97ea3cd208', Status = 'ERROR', Message = '', Errors = '[Error Code = '1000', Error Message = ' Bad container: c9778a69-37d2-4f48-8234-c1584468c409', Affected Entities = '[]'.]'., TN = 'f1e53031-8cad-4ee1-aa04-a4940c4f1d3b', Status = 'ERROR', Message = '', Errors = '[Error Code = '1000', Error Message = ' Bad container: c9778a69-37d2-4f48-8234-c1584468c409', Affected Entities = '[]'.]'.]', Pending Changes = '[]'.' for entity 'FirewallSection/20e2ad63-d842-4209-bf68-770dd6bc8ece'.

 

- The rule in question:

rule 11368 at 84 inout protocol tcp strict from addrset rsrc11368 to any port 443 with attribute profile c9778a69-37d2-4f48-8234-c1584468c409 accept;

 

Environment

NSX 4.1.1.0

Cause

"Custom URL" was used rather than "Domain (FQDN) Name" as the attribute type when creating the Context Profile.

 

FQDN Filtering DFW rules require the "Domain (FQDN) Name" attribute type. See admin guide documentation for more information - https://docs.vmware.com/en/VMware-NSX/4.2/administration/GUID-63262728-CA72-47D2-8E4F-16617B63A9A4.html

Resolution

Workaround:

  • Search for the Context Profile (container) ID from the logs in the NSX UI to identify the offending Context Profile. 
  • Adjust the Context Profile to use the "Domain (FQDN) Name" attribute type rather than "Custom URL" then republish the DFW config. After refreshing the status of each rule you should now see "Success."

 

 

 

 

Powered by Wolken Software