Unable to update NAT rule created through NCP
search cancel

Unable to update NAT rule created through NCP

book

Article ID: 405643

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Issue with the update of NAT rules

  • The option to update  the NAT rule is greyed out in NSX UI
  • The attempt to update the rule via API call failed with the following result:

{
    "httpStatus": "BAD_REQUEST",
    "error_code": 289,
    "module_name": "common-services",
    "error_message": "Principal 'admin' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$NatRule it doesn't own. (createUser=$username, allowOverwrite=null)"
}

Environment

VMware NSX 

Cause

The reason for the error message is allowOverwrite has a value 'null'

 

Resolution


First, you will need to retrieve the NAT rule information that will be used to populate the body of the PUT command that will be used to update the NAT rule. The rule ID can be retrieved through NSX UI 

Since the rules were created by TKGI through NCP, the NSX admin user will be required to run the following API with the "X-Allow-Overwrite: true" parameter set in the header of the API. 

Following API can be directed to virtual IP of NSX cluster using POSTMAN. 

PUT: https://nsxmgrIP/api/v1/logical-routers/######-####-####-###-##########/nat/rules/ruleID
{
    "rule_priority": 1024,
    "action": "SNAT",
    "match_source_network": "##.##.##.##/##",
    "translated_network": "##.##.##.##/##",
    "translated_ports": "",
    "enabled": true,
    "logging": false,
    "logical_router_id": "######-####-####-###-##########",
    "firewall_match": "BYPASS",
    "internal_rule_id": "######-####-####-###-##########",
    "reflexive_internal_rule": false,
    "pb_vpn_mode": "BYPASS",
    "resource_type": "NatRule",
    "id": "$ruleID",
    "display_name": "######-####-####-###-##########",
    "tags": [
        {
            "scope": "ncp/version",
            "tag": "1.2.0"
        },
        {
            "scope": "ncp/cluster",
            "tag": "######"
        },
        {
            "scope": "external_id",
            "tag": "######-####-####-###-##########"
        },
        {
            "scope": "ncp/cf_org_guid",
            "tag": "5######-####-####-###-##########"
        },
        {
            "scope": "ncp/snat",
            "tag": "true"
        },
        {
            "scope": "ncp/extpoolid",
            "tag": "######-####-####-###-##########"
        }
    ],
    "_system_owned": false,
    "_protection": "REQUIRE_OVERRIDE",
    "_create_time": 1719246014307,
    "_create_user": "$Username",
    "_last_modified_time": 1719246014307,
    "_last_modified_user": "$username",
    "_revision": ##

Additional Information

In case requiring assistance with the given procedure on how to update NAT rule, reach out to support using   https://support.broadcom.com/web/ecx/software-contact-support

Powered by Wolken Software