Modifications to private IP ranges, flow exclusion filters and prioritization mode are retained even after NSX Manager has been off-boarded - SSP
search cancel

Modifications to private IP ranges, flow exclusion filters and prioritization mode are retained even after NSX Manager has been off-boarded - SSP

book

Article ID: 407706

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

When a site is off-boarded and then re-onboarded whether it's to the same or a new SSP instance, custom configuration changes made by the user are not reset to default values. These changes include:

  • Private IP Ranges - configured via SSP UI -> System Private IP Ranges

  • Flow Exclusion Filters - only configurable through API (by patching the pace agent config profile) ---> Only applicable for SSP version 5.1 and above

These settings continue to persist and are automatically re-applied during re-onboarding. This can affect: 

  • Flow visibility, as certain types of traffic (e.g., unicast, multicast, or specific port traffic) are excluded from flow export based on previously configured exclusion filters.

  • IPs outside private IP ranges  appear as "ANY" in source/destination fields in recommendations and as "External" in flow graphs and details.

Environment

SSP 5.0, SSP 5.1

Cause

Private IP ranges are stored in the common agent profile on the NSX Manager.

When these ranges are modified, the updates are propagated to the profile and persisted in Corfu.

This configuration is not reset during manager off-boarding.

As a result, if the same manager is onboarded again, the previously modified IP ranges are retained and reflected on SSP UI. 

Resolution

Reset private IP ranges: As a workaround , private IP ranges can be reset to default values via SSP UI - Navigate to SSP UI → System → Private IP Ranges and update the IP ranges to the default desired ranges.

Contact Broadcom Support to Reset flow prioritization mode and flow exclusion filters.

Additional Information

Backup and Restore: Private IP ranges are not backed up on SSP for restoration. After the restore completes, the ranges that were configured on the NSX Manager at the time of the backup will be propagated to SSP via full sync. Essentially, backup and restore has no effect on private IP ranges.

You may adjust private-ip-ranges as needed. 

Powered by Wolken Software