Custom session timer profiles are not effective after upgrading NSX-T from 3.1 to 3.2
search cancel

Custom session timer profiles are not effective after upgrading NSX-T from 3.1 to 3.2

book

Article ID: 419321

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • In the NSX-T Manager UI, the custom session timer profile appears to be correctly applied to the target Gateway.


  • However, when verifying via the CLI, the configured timer values are not reflected, and different values are active.
    • Bad case
      edge> get firewall <interface_uuid> timeouts
<timestamp>
Timeout count: 21
    dfw.TBR_revalidation     : 0
    dfw.adaptive_end         : 970000
    dfw.adaptive_start       : 900000
    dfw.icmp.error_reply     : 6
    dfw.icmp.first_packet    : 6
    dfw.interval             : 10
    dfw.ip.frag              : 4
    dfw.other.first_packet   : 30
    dfw.other.multiple       : 30
    dfw.other.single         : 30
    dfw.src_node             : 0
    dfw.tcp.closed           : 2
    dfw.tcp.closing          : 900
    dfw.tcp.established      : 7200
    dfw.tcp.fin_wait         : 4
    dfw.tcp.first_packet     : 120
    dfw.tcp.opening          : 30
    dfw.ts_diff              : 30
    dfw.udp.first_packet     : 30
    dfw.udp.multiple         : 30
    dfw.udp.single           : 30
    • Good case
      edge> get firewall <interface_uuid> timeouts
<timestamp>
Timeout count: 21
    dfw.TBR_revalidation     : 0
    dfw.adaptive_end         : 970000
    dfw.adaptive_start       : 900000
    dfw.icmp.error_reply     : 10
    dfw.icmp.first_packet    : 20
    dfw.interval             : 10
    dfw.ip.frag              : 30
    dfw.other.first_packet   : 30
    dfw.other.multiple       : 30
    dfw.other.single         : 30
    dfw.src_node             : 0
    dfw.tcp.closed           : 20
    dfw.tcp.closing          : 120
    dfw.tcp.established      : 43200
    dfw.tcp.fin_wait         : 45
    dfw.tcp.first_packet     : 120
    dfw.tcp.opening          : 30
    dfw.ts_diff              : 30
    dfw.udp.first_packet     : 60
    dfw.udp.multiple         : 60
    dfw.udp.single           : 30

Environment

VMware NSX-T Data Center

Cause

During the NSX-T Manager upgrade process, the association between the custom profile and the target Gateway is lost, even though the UI may still display the configuration.

Resolution

This issue is resolved in NSX-T 3.2.4. This issue is not observed when upgrading directly to NSX 4.x or later.

Workaround:
If you encounter this issue after an upgrade, perform the following steps to restore the configuration:

  1. Navigate to the NSX-T Manager UI > Security > Settings > General Settings > Firewall.
  2. Detach the profile from the target Gateway.
  3. Re-apply the profile to the Gateway.
Powered by Wolken Software