NSX Federation - Site specific group does not get realized in other local site and policy show status as failed.
search cancel

NSX Federation - Site specific group does not get realized in other local site and policy show status as failed.

book

Article ID: 388686

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

- NSX Federation system with NSX version 3.2.0.x or Federation was upgraded from 3.2.0.x to 3.2.1 or later NSX version.
- Have site specific group been configured and applied to a firewall rule.
- When click "check status" from firewall policy, similar to below error shows from Global manager UI.


- From local manager could see similar to below "realization failure" message from syslog.

2025-02-15T21:55:06.539Z nsx-manager NSX 5499 POLICY [nsx@6876 comp="nsx-manager" errorCode="PM0" level="ERROR" subcomp="manager"] Created alarm Alarm [policyPath=/global-infra/realized-state/enforcement-points/default/firewalls/firewall-sections/default.infro-policies/alarms/25c8f828-5fcd-4fb1-xxxx-xxxxxxxxxxxx, message=Realization failure, waiting for realization of {1} path=[[/global-infra/domains/LM-01-3201/groups/LM-01_region_group_2]], Realization will be reattempted in next cycle (max 5 minutes),errorId=PROVIDER_INVOCATION_FAILURE, path=null, apiError=error_code=500042, module_name=Policy, error_message='Realization failure, waiting for realization of {1} path=[[/global-infra/domains/LM-01-3201/groups/LM-01_region_group_2]], Realization will be reattempted in next cycle (max 5 minutes)'#012  details='Realization failure, waiting for realization of  path=[{/global-infra/domains/LM-01-3201/groups/LM-01_region_group_2}], Realization will be reattempted in next cycle (max 5 minutes)', sourceSiteId=null]

Environment

NSX Federation system with NSX version 3.2.0.x or previous version

Cause

In NSX Data Center version 3.2.0.x, a known issue prevented site-specific groups from being realized on other local managers.
This problem was addressed in NSX 3.2.1 and later NSX version.

 

Resolution

Fix:

To resolve this issue,  upgrade to  NSX 3.2.1.x or later.

Note: If a site specific group was created in the affected NSX version and then upgraded to a fixed version, the same issue may still occur after the upgrade.
In this case, the following steps are recommended as a workaround:

  • Create a new site specific group with the same criteria but a different name, and use it in the affected firewall rules.
  • Onboard a new local site. (The new local site can be removed immediately from the Federation system after onboarding.)

 

 

Powered by Wolken Software