Migrated VMs Not Included in NSX-T Security Groups Post V2T DFW Migration
search cancel

Migrated VMs Not Included in NSX-T Security Groups Post V2T DFW Migration

book

Article ID: 408752

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

During the NSX-V to NSX-T Distributed Firewall (DFW) migration using the V2T Migration Coordinator, an issue has been identified where the Security Groups in the NSX-T target environment contain only temporary IP addresses assigned to protect the migrated VMs. However, the actual migrated VMs are not being added as member objects to their respective Security Groups.

Environment

VMware NSX

Cause

This issue occurs when the Migration Coordinator report has not been generated or the Finalize API call below to remove the temporary IPSet based Security Groups has not been executed. These steps are part of the finalisation process outlined in the "Migrating Distributed Firewall Configuration" technical documentation under the section "Migrate Workload VMs".

POST https://{nsxt-mgr-ip}/api/v1/migration?action=finalize_infra

Without completing this stage, the temporary IPSet based Security Groups remain in place, and the migrated VMs are not added as member objects in NSX-T as expected.

 

 

 

 

 

Resolution

To ensure migrated workload VMs are correctly added as member objects in NSX-T Security Groups, you must click the "GET MIGRATION REPORT" button during the final stage "Migrate Workloads" in the DFW migration workflow. This action generates a JSON report detailing the Security Group objects successfully migrated to NSX-T. It highlights which VM objects were mapped successfully and identifies those that failed to migrate.

The migration report can be generated multiple times. To regenerate the report after migrating any remaining VMs to the target NSX site, simply navigate to a different stage in the migration UI, such as "Prepare Infrastructure", and then return to "Migrate Workloads". This action will re-enable the "GET MIGRATION REPORT" button, allowing you to produce an updated JSON report.

Note: Security Group updates will also occur upon execution of the Finalize API below. However, this API will also remove the temporary IPset Security Group created during the migration process. If any VMs fail to migrate into their corresponding NSX-T Security Groups, those groups may become empty once the temporary IPset Security Group is deleted, potentially leaving the migrated workload VMs unprotected by DFW rules.

POST https://{nsxt-mgr-ip}/api/v1/migration?action=finalize_infra

To ensure successful Security Group migration of VM member objects via the V2T DFW Migration Coordinator, it is essential that the VM UUID remains unchanged before and after the migration.

Cloning the source VM to the target site as a migration method will result in the creation of a new VM UUID instance. As a result, the Security Group in NSX-T will not be updated for the associated VMs.

If vMotion or HCX is used to migrate the VMs, it will attempt to preserve the original VM UUID throughout the migration process. However, if the target vCenter rejects the source VM UUID, typically due to a duplicate entry in its database. It will generate a new VM UUID and this change can prevent the Security Group from being updated correctly for the associated VM in NSX-T.

 

Additional Information

Powered by Wolken Software