• The user is using NSX-T version 4.2.X or 9.0
• The user has configured a service group for example "dns" with service entries TCP destination port 53 and destination port UDP.
  • The issue is not specific to only "dns" and may happen with other service entries the user configures for both TCP and UDP.
    • Another example is "ssh".
  • While checking the NSX-T UI under section Inventory --> Services the user will observe the newly created service group displaying the expected service entries.

• The user has configured a DFW/Gateway firewall rule with a service group similar to the above example.
  • While viewing the DFW/Gateway section only the TCP service entry is displayed.

• While checking the DFW rules configured on the ESXI, the user will see the expected rule configured correctly with TCP and UDP ports. See documentation on how to check DFW rules configured on ESXI hosts.

rule 1001 at 5 inout protocol tcp strict from any to any port 53 accept;
rule 1001 at 6 inout protocol udp from any to any port 53 accept

• Changing the name of the service group will not resolve the issue as it only changes the display name and not intent path.

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment

VMware vDefend Firewall

• This issue happens due to the conflict in the intent path when the service group was created.
  • Get Service entries call is made with case insensitive service path filter. As there was already a record with similar path, multiple records are returned.

• Users are recommended to use system created services if they are already created.
  • No workaround is required as the issue is strictly cosmetic.

This issue will be resolved in future releases of NSX-T.