"Failed to fetch System details" error 513002 when searching in NSX Manager UI

Products

VMware NSX

Issue/Introduction

After upgrading NSX from version 3.2.2.0 to 4.2.2.1, users may encounter an error "Failed to fetch System details". As a result, functionalities such as viewing alarms, expanding Distributed Firewall (DFW) rules, and accessing the NS Services tab in policy mode may not work correctly.

Environment

NSX 4.2.0 and beyond.

Cause

After upgrading, the NSX Manager UI may report a “Failed to fetch System details” error due to the presence of disallowed characters in policy object paths. This results in a failure during search indexing operations, which restricts access to Policy-related objects in the NSX UI.

Observed error in logs:

Root cause:
Starting in NSX 4.2.0, a change was introduced to disallow certain characters in Policy paths. These include:

\t (tab)
\n (Newline (LF))
(Carriage Return (CR))
\0 (Null (ASCII 0))
Unicode characters: \u2028, \u2029 respectively Unicode Line Separator and Unicode Paragraph Separator

If any existing policy object contains these characters (e.g., in the ID or path), it may cause issues with the search indexing mechanism post-upgrade.

Any upgrade from a version prior to 4.2.0 to 4.2.0 or later may be affected by this issue.

Resolution

To identify and resolve this issue, Broadcom provides a Python script to scan for disallowed characters in the policy object IDs using Corfu table dumps.

Steps:

Extract the Corfu dumps using the following commands:

/opt/vmware/bin/corfu_tool_runner.py -n nsx --port 9000 -o showTable -t Service --diskBacked=True > /tmp/Service.txt

/opt/vmware/bin/corfu_tool_runner.py -n nsx --port 9000 -o showTable -t ServiceEntry --diskBacked=True > /tmp/ServiceEntry.txt

/opt/vmware/bin/corfu_tool_runner.py -n nsx --port 9000 -o showTable -t InternalService --diskBacked=True > /tmp/InternalService.txt

/opt/vmware/bin/corfu_tool_runner.py -n nsx --port 9000 -o showTable -t InternalServiceEntry --diskBacked=True > /tmp/InternalServiceEntry.txt

/opt/vmware/bin/corfu_tool_runner.py -n nsx --port 9000 -o showTable -t GenericPolicyRealizedResource --diskBacked=True > /tmp/GenericPolicyRealizedResource.txt
Run the standalone script from the same folder where Corfu dumps are available (/tmp if you ran the above commands):

python3 identify_tabs_in_policy_ids.py
The script will return the line numbers in the payload that contain a disallowed characters. These entries must be manually corrected to allow the upgrade and indexing to proceed successfully. Please connect to the UI and remove these disallowed characters found by the script for the associated NSX entities.

For instance, the below us an example where a disallowed character were found after running the script for the service entry "LDAP-over-SSL-UDP\t" which contains the a tab (\t) at the end of its name:

root@nsx-mngr-01:~/tmp# python3 identify_tabs_in_policy_ids.py

Path ./ServiceEntry.txt: 40: "stringId": "/infra/services/SharePoint_2010/service-entries/LDAP-over-SSL-UDP\t"

To resolve the issue, connect to NSX and remove the tab (\t) in "LDAP-over-SSL-UDP\t" via UI/API then rerun the script to confirm the service entry is not returned again.

Note: If the script does not return any lines, this indicates there are no disallowed tab characters present in the policy object paths.

root@nsx-mngr-01:~/tmp# python3 identify_tabs_in_policy_ids.py
root@nsx-mngr-01:~/tmp#

Attachments

identify_tabs_in_policy_ids.py get_app