IP address subnets missing from an antrea NSGroup after an upgrade from 4.1.x to 4.2.x
search cancel

IP address subnets missing from an antrea NSGroup after an upgrade from 4.1.x to 4.2.x

book

Article ID: 407064

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall VMware Container Networking with Antrea

Issue/Introduction

  • IP address subnets missing from an antrea NSGroup after an upgrade from 4.1.x to 4.2.x
  • For the affected NSGroup:
    • The corresponding entry in the Group table (corfu_tool_runner.py -t Group -n nsx -o showTable) in the Corfu DB, has the IP address subnets present under the "ipAddressExpressionNode" key
    • The corresponding entry in the InternalGroup table (corfu_tool_runner.py -t InternalGroup -n nsx -o showTable) in the Corfu DB, does NOT have the IP address subnets present under the "ipAddressExpressionNode" key

Environment

VMware NSX 4.2.1.x with Antrea Container Cluster Integration

Cause

After the upgrade, a delta sync operation occurred for the affected NSGroup which may have caused this issue. 

Resolution

To resolve the issue, update the NSGroup with the missing IP subnets using a PATCH API call.

1. Run the following GET API call with the path of the affected NSGroup

GET https://<NSX_MANAGER_IP_OR_FQDN>/policy/api/v1/infra/domains/<domain>/groups/<groupname>

Example:

curl -k -u admin -H "Content-Type: application/json" -X GET https://<NSX_MANAGER_IP_OR_FQDN>/policy/api/v1/infra/domains/default/groups/TestGroup

Result:

{
  "expression": [
    {
      "ip_addresses": [  <<< Note that the above API call does return the IP address subnets for this NSGroup
       "10.10.0.0/24",
       "10.11.0.0/24"
      ],
      "resource_type": "IPAddressExpression",
      ......

    }
  ],
  "extended_expression": [],
  "reference": false,
  "resource_type": "Group",
  "id": "TestGroup",
  "display_name": "TestGroup", <<< Note the display name
  "tags": [
    {
      "scope": "VMs",
      "tag": "VM_3"
    },
    {
      "scope": "VMs",
      "tag": "VM_2"
    },
    {
      "scope": "VMs",
      "tag": "VM_1"
    }
  ],
  "path": "/infra/domains/default/groups/TestGroup",
  "relative_path": "TestGroup",
  "parent_path": "/infra/domains/default",
  "remote_path": "",

  .......


  "_last_modified_user": "admin",
  "_revision": 3
}

2. Run the following PATCH API call with the body having "display_name", & "expression", "ip_addresses" keys from the above output. Also, the header 'X-Allow-Overwrite: True' needs to be added.

Example: 

curl -s -k -u admin -H "Content-Type:application/json" -H "X-Allow-Overwrite: True" -X PATCH  https://<NSX_MANAGER_IP_OR_FQDN>/policy/api/v1/infra/domains/default/groups/TestGroup -d '{
  "display_name": "TestGroup", <<< Add the "display_name" key and value from the previous output here
  "expression": [
    {
      "resource_type": "IPAddressExpression",
      "ip_addresses": [
        "10.10.0.0/24", <<< Add the required subnets from the previous output here in the "ip_addresses" key
        "10.11.0.0/24"
      ]
    }
  ]
 }'

3. The above PATCH API call should return a 200 OK and the IP address subnets should be populated in the affected NSGroup

Powered by Wolken Software