Unable to apply DNS Security Profile to a Group under Custom Project - "Sequence number 65,534 already used"
search cancel

Unable to apply DNS Security Profile to a Group under Custom Project - "Sequence number 65,534 already used"

book

Article ID: 401000

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

  • From NSX UI, User will not be able to apply DNS Security Profile to a Group under custom project if DNS Security Profile is already applied to Group under default project or vice versa.
  • Exception is thrown:

    "Sequence number 65,434 already used by binding map /infra/domains/<domain-id>/groups/<group-id>/dns-security-profile-binding-maps/<binding-map-id>."

 

Environment

NSX 4.X

NSX 9.0

Cause

  • The NSX Manager UI uses sequence number 65,434 for the first DNS Security Profile Binding Map in the default project. It also uses the same sequence number 65,434 for the first DNS Security Profile Binding Map in the custom project.
  • Since the same sequence number is used in the custom project that was already assigned in the default project, a validation error is triggered.

 

NSX Manager Logs: /var/log/proton/nsxapi.log

2025-02-21T10:00:00.349Z ERROR providerTaskExecutor-1-137 NsxTProviderWorkflow 1464818 POLICY [nsx@4413 comp="nsx-manager" errorCode="PM500016" level="ERROR" subcomp="manager"] intentRealizationWorkflow failed with throwable ServiceConfig precedence value 65,534 is duplicate for given profile type [FirewallDnsProfile]. Specified value is present in ServiceConfig ServiceConfig/########-####-####-####-############
com.vmware.nsx.management.policy.policyframework.restutils.NsxTRestException: ServiceConfig precedence value 65,534 is duplicate for given profile type [FirewallDnsProfile]. Specified value is present in ServiceConfig ServiceConfig/########-####-####-####-############
...
...

Resolution

  1. Create DNS Security Profile under custom project but do not apply it to the needed group.
  2. Create DNS Security Profile Binding Map under Group with custom sequence number value which is not used and DNS Security Profile Path using following API.
PATCH https://{{nsx_manager_ip}}/policy/api/v1/orgs/default/projects/<project-id>/infra/domains/<domain-id>/groups/<group-id>/dns-security-profile-binding-maps/<binding-map-id>
{
    "profile_path": "/orgs/default/projects/<project-id>infra/dns-security-profiles/<dns-security-profile-id>",
    "sequence_number": 70000
}
Powered by Wolken Software