TAS ASG configuration with multiple rules having same destination and port fail to get realized in NSX when using Policy API
search cancel

TAS ASG configuration with multiple rules having same destination and port fail to get realized in NSX when using Policy API

book

Article ID: 421097

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • TAS ASG configuration with multiple rules having same destination and port fail to get realized in NCP/NSX
  • Issue only seen when using Policy Mode APIs
  • Error message similar to below seen in /var/log/proton/nsxapi.log:

ERROR http-nio-127.0.0.1-7440-exec-842 DfwSecurityPolicyFacadeImpl 78183 POLICY [nsx@6876 comp="nsx-manager" errorCode="PM500287" level="ERROR" reqId="a99d25de-####-####-####-############" subcomp="manager" username="########"] Multiple rules with same path /infra/domains/###############/security-policies/asg_93caafae-####-####-####-############/rules/pr_10.##.##.19_dceb0c1c-####-####-####-############ present in request

  • Error message similar to below seen in NCP(diego database)log:

0fbde0ef-1e51-####-####-####-############ NSX 900282 - [nsx@6876 comp="nsx-container-ncp" subcomp="ncp" level="ERROR" security="True" errorCode="NCP00115"] nsx_ujo.ncp.nsx.policy.nsxapi create_security_policy failed, cause: Unexpected error from backend manager (['nsx-############.com']) for PATCH policy/api/v1/infra/domains/###############/security-policies/asg_93caafae-####-####-####-############: Multiple RULE objects with same id, path=[/infra/domains/###############/security-policies/asg_93caafae-####-####-####-############/rules/pr_10.##.##.19_dceb0c1c-####-####-####-############] present in request., args: ('asg-#######', 'asg_93caafae-####-####-####-############', '###############[truncated]..., kwargs: {'entries': [<vmware_nsxlib.v3.policy.core_defs.CommunicationMapEntryDef object [truncated]...

Environment

VMWare NSX 4.2.x

Cause

  • TAS allows for specifying multiple rules which are exactly the same in terms of destination and port.
  • However, since NCP creates the rule id from a hash of the destination and port, NCP will try to create multiple rules with the same ID. As a result, the ASG will not be realized in NSX.
  • When this happens, users have no indication that the ASG is not realized in NSX; the only indication about the error is in NCP/NSX logs.

Resolution

This issue will be fixed in a future NSX/NCP version release.

 

Workaround

  • Remove the duplicate rules from the ASG configuration if issue already exists; error seen in NCP/NSX logs identifies the duplicate IP address and ASG.
  • Review the ASGs for duplicate rules before applying them to avoid this issue from occurring.
Powered by Wolken Software