NSX Upgrade Pre-Check Warning: "Found data inconsistencies: Firewall Global Address set not realized"
search cancel

NSX Upgrade Pre-Check Warning: "Found data inconsistencies: Firewall Global Address set not realized"

book

Article ID: 400448

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware NSX

Issue/Introduction

  • During the upgrade to NSX version 4.2.x, the upgrade pre-check reports a warning at the NSX Manager.


  • The specific warning message is: "Found data inconsistencies: Firewall Global Address set not realized."


  • Although this warning is acknowledged, the "Start Upgrade" button in the NSX UI is not available and the option remains grayed out, blocking further progress. 


  • The NSX environment was previously running version 3.2.0.x.
  • Confirm if the global_addrset_mode_enabled flag is set to true on the NSX manager and ESXi host by following the below steps:

    1. SSH to an NSX manager as the root user.

    2. Check if the global_addrset_mode_enabled flag is set to true on the NSX manager with the following command.  This will prompt for the admin password and display the global_addrset_mode_enabled status:

      # curl -ku 'admin' https://localhost/api/v1/infra/settings/firewall/security | grep global_addrset_mode_enabled
      A matching status will display:  '"global_addrset_mode_enabled" : true,'

    3. Execute the two Corfu tool commands to query the DfwFirewallConfiguration and InternalDfwFirewallConfiguration tables and note the status:

      # /opt/vmware/bin/corfu_tool_runner.py -n nsx -o showTable -t DfwFirewallConfiguration | grep globalAddrsetModeEnabled
      # /opt/vmware/bin/corfu_tool_runner.py -n nsx -o showTable -t InternalDfwFirewallConfiguration | grep globalAddrsetModeEnabled
      A matching status will display '"globalAddrsetModeEnabled": true' for each of those commands.

    4. SSH to an NSX prepared Host Transport Node as the root user.

    5. Observe the global_addrset_mode_enabled status by using below nestdb-cli command:

      # /opt/vmware/nsx-nestdb/bin/nestdb-cli --beautify --json --cmd get vmware.nsx.nestdb.GlobalConfigMsg | grep global_addrset_mode_enabled
      A matching status will display '"global_addrset_mode_enabled" : true,'


  • Check the GPRR table for the dummy entries by using below commands:

    1. SSH to an NSX manager as the root user.

    2. Dump the GenericPolicyRealizedResource (GPRR) table to a text file:

      # /opt/vmware/bin/corfu_tool_runner.py -o showTable -n nsx -t GenericPolicyRealizedResource > GPRR.txt
    3. Search the file GPRR.txt for the following dummy entry: 
      # cat GPRR.txt | grep "_infra_settings_firewall_security"
      This KB applies if there are matching results.

Environment

VMware NSX

Cause

The issue occurs due to an incorrect entry in the corfu database on the NSX manager.

Resolution

This warning will be resolved in an upcoming NSX release. 

To workaround and resolve this warning:

  1. Ensure full backups from all NSX manager nodes are taken: Back Up NSX Manager Data 
  2. It is also recommended to make off line clone of all three NSX managers.
  3. Please open a support case with Broadcom Support and refer to this KB article.  Attach the GPRR.txt file to the case.
Powered by Wolken Software