You are using NSX 4.2.1 or earlier with Distributed Firewall feature.

There is an open alarm “Group Size Limit Exceeded” on NSX UI for a Group that does not exist in the “Groups” inventory.  The Group UUID cannot be found in inventory. See example error below:

2024-08-10T11:54.321Z  WARN Owl-worker-9 ContainerEventsListenerNewImpl 72861 - [nsx@6876 comp="nsx-controller" level="WARNING" subcomp="container"] CONTAINER_WARNING: Container <xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx> has reached the maximum IP/MAC/VIF/LSP/LRP/VM/TN/SID translations limit. Current translations count in Container = IPs:3837, MACs:2779, VIFS:3158, LSPs:3200, LRPs:0, SecurityIDs:0.For optimal system performance, translations in a container should not exceed 10000 .

Group Size Limit Exceeded Alarm may be raised when the total members in a Firewall Rule ExcludeList exceed the per Group members size limit.

Using the below exclusion list API call, the Group UUID is listed as the "realization_specific_identifier":

https://<nsx_manager_ip/fqdn>/api/v1/infra/realized-state/realized-entities?intent_path=/infra/settings/firewall/security/exclude-list

The Exclude list UUID can also be confirmed in the NSX manager var/log/syslog file by looking for controller container updates:

[nsx@6876 comp="nsx-controller" level="INFO" subcomp="container"] processContainers, updatedObjects: [ExcludeList(<<exclude_list_uuid>>)

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment.

• VMware NSX-T Data Center 3.2.x
• VMware NSX 4.2.1 and earlier
• VMware vDefend Firewall