• You are using NSX 4.2.1 or earlier with Distributed Firewall feature.

• There is an open alarm “Group Size Limit Exceeded” on NSX UI for a Group that does not exist in the “Groups” inventory:
  Group (UUID:ab12###-####-####-####-######cd34,Path:/infra/segments/xy89###-####-####-####-######vw21) has at least 10011 translated elements which is at or greater than the maximum numbers limit of 10000.
This can result in long processing times and can lead to timeouts and outages. The current count for each element type is as follows. IP Addresses:504, MAC Addresses:582, VIFS:4462, Logical switch ports:4463, Logical router ports:0, AdGroups:0.   


• The Group UUID (in the sample above, highlighted in yellow) cannot be found in inventory.

• Also, the Group UUID is not found by NSX Manager's global search tool.

• In NSX Manager's /var/log/cloudnet/nsx-ccp.log, you see logging similar to the sample below:
  2024-08-10T11:54.321Z  WARN Owl-worker-9 ContainerEventsListenerNewImpl 72861 - [nsx@6876 comp="nsx-controller" level="WARNING" subcomp="container"] CONTAINER_WARNING: Container <xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx> has reached the maximum IP/MAC/VIF/LSP/LRP/VM/TN/SID translations limit. Current translations count in Container = IPs:3837, MACs:2779, VIFS:3158, LSPs:3200, LRPs:0, SecurityIDs:0.For optimal system performance, translations in a container should not exceed 10000 .

• Group Size Limit Exceeded Alarm may be raised when the total members in a Firewall Rule ExcludeList OR Segment exceed the per Group members size limit as ExcludeList and Segment are being identified as Groups.

• In the exclusion list REST API call, the Group UUID is listed as the "realization_specific_identifier":
  GET https://<nsx_manager_ip/fqdn>/api/v1/infra/realized-state/realized-entities?intent_path=/infra/settings/firewall/security/exclude-list

• The Exclude list UUID can also be confirmed in the NSX manager's /var/log/syslog file by looking for controller container updates:
  [nsx@6876 comp="nsx-controller" level="INFO" subcomp="container"] processContainers, updatedObjects: [ExcludeList(<<exclude_list_uuid>>)

• To confirm an object is a Segment object, please review the alarm in the UI, which will have details of the UUID and policy path. The policy path has a substring of "/infra/segments/".

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment.

This issue is resolved in VMware NSX 4.2.2, and in VCF 9.0.0, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

Workaround: 

To workaround this issue, you can use one of the following options:

• This is a false Alarm and can be ignored.
• Reduce number of members in Firewall Exclude list.
• Cleanup any stale NSX logical ports on a Segment.