• After upgrading NSX from 3.2.x to 4.2.x, NSX Manager service (Proton) become unstable.

• NSX Managers may enter a degraded or down state, impacting access to the NSX UI.

• Proton logs show repeated JVM restarts with errors similar to:

  com.vmware.nsx.management.common.exceptions.InvalidArgumentException: Invalid group with IPSet/MACAddress in ExclusionList ionList path=[/infra/domains/default/groups/<groupID>]

  Logs findings:

  • The nsxapi.log shows NSX management plane starting in every 5- 6 minutes.

  2024-10-07T18:39:50.257Z  INFO WrapperStartStopAppMain ApplicationContextManager 227639 - [nsx@6876 comp="nsx-manager" level="INFO" starting NSX management plane application context.
  

  • The proton-tomcat-wrapper.log shows the JVM received a kill signal and is restarting. 

  STATUS | wrapper  | 2024/10/07 18:39:51| JVM received a signal SIGKILL (9).
  

  • The Proton service is repeatedly restarting in /var/log/proton/proton-tomcat-wrapper.log:

  STATUS | wrapper  | 2024/10/07 18:28:31 | Launching a JVM...
  

  • The following exception is seen repeatedly on the NSX manager's in /var/log/proton/proton-tomcat-wrapper.log

  INFO   | jvm 784  | 2024/10/07 18:33:30 | com.vmware.nsx.management.common.exceptions.InvalidArgumentException: Invalid group with IPSet/MACAddress in ExclusionList path=[/infra/domains/default/groups/<GroupID>]

• API query reveals groups referenced in the exclusion list (e.g., VCenter, infra_vcenter) contain IP addresses.

• GET /policy/api/v1/infra/settings/firewall/security/exclude-list

Refer to ANS KB for more details: NSX Exclusion list modification fails due to invalid group with Ipset/MACAddress in FW Exclusion List (Error code:514051)