NSX-T generates capacity alarm for System Wide Total Gateway Firewall Rules
search cancel

NSX-T generates capacity alarm for System Wide Total Gateway Firewall Rules

book

Article ID: 387011

calendar_today

Updated On:

Products

VMware NSX VMware NSX Firewall

Issue/Introduction

  • NSX is running in the environment with version 3.x, 4.0.x or 4.1.x
  • NSX appliance VM has been deployed with medium size form factor.
  • Similar to below capacity alarm show from NSX-T UI:

  • Similar to below logging also reported from NSX Manager /var/log/syslog:

NSX 3758 MONITORING [nsx@6876 alarmId="05274963-dbc0-47e1-bd6d-c574b2d36c8b" alarmState="OPEN" comp="nsx-manager" entId="########-####-####-####-############" errorCode="MP701099" eventFeatureName="capacity" eventSev="HIGH" eventState="On" eventType="maximum_capacity_threshold" level="ERROR" nodeId="########-####-####-####-############" subcomp="monitoring"] The number of objects defined in the system for System wide Total Gateway Firewall Rules has reached 401 which is above the maximum capacity threshold of 100.0%.

Environment

VMware NSX

VMware NSX Firewall

Cause

  • This is expected behavior when total system wide gateway firewall have a max_supported_count number of 400.
  • This number can be retrieved by API GET https://<nsxmanagerIP>/policy/api/v1/infra/capacity/dashboard/usage 

For example, similar to below output can be seen with the max_supported_count being 400 for a NSX medium appliance:

      "usage_type" : "NUMBER_OF_GATEWAY_POLICY",
    "display_name" : "System wide Total Gateway Firewall Rules",
    "current_usage_count" : 401,
    "max_supported_count" : 400,
    "min_threshold_percentage" : 70.0,
    "max_threshold_percentage" : 100.0,
    "current_usage_percentage" : 100.25,
    "severity" : "CRITICAL"  

Resolution

There are few options to clear the alarms from a NSX medium appliance:

  • Reduce the gateway firewall rules by delete or optimize the firewall rule configuration.
  • Upsize the NSX-T appliance from medium size to large size.
  • Upgrade the NSX version to 4.2.x

Additional Information

The "System Wide Total Gateway Firewall rules" limitation for a NSX-T medium appliance are:

  • Prior NSX-T version 4.2 the number is 400
  • NSX 4.2.x the number is 10000 (10k).
Powered by Wolken Software