Unable to add objects to NSX security group receiving error code (500012)
search cancel

Unable to add objects to NSX security group receiving error code (500012)

book

Article ID: 425103

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware NSX

Issue/Introduction

  • The user is unable to add objects to an NSX group reviewing the error in the NSX UI.

  Error: The /infra/segments/<SegmentName>/ports/default:###################### is invalid (Error code: 500012)

  • While reviewing the log file /var/log/syslog.log on the NSX Manager, there are failed attempts to update the security group 

2026-01-13T15:29:18.948Z <NSXManager? NSX 4943 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="manager"] UserName:'admin' ModuleName:'Policy' Operation:'PUT@/api/v1/infra/domains/default/groups/<GroupName>' Operation status: 'failure' Error: The path=[/infra/segments/<SegmentName>/ports/default:############################] is invalid

  • While reviewing the problematic group, the user will observe there are objects present when they click on "show Deleted Entities"

 

 

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware vDefend Firewall 

VMware NSX 4.2.X

VMware NSX 9.0

Cause

  • Segment ports and VM objects are static members and will not change while the VM is in the NSX inventory.
  • For any reason why the VM leaves the NSX inventory, when it is added back there will be a new entry for the VM ID and segment port.
    • Since the segment port and VM ID is static when the VM is removed from NSX it will remain in the group.
  • The user will not be able to update the group while stale segment ports are present due group validation.

Resolution

  • The stale entries can be removed by clicking "remove all" while reviewing "Show Deleted Entities" 
  • The stale entries can be removed individually using API  PATCH /policy/api/v1/infra/domains/default/groups/<GroupID>
    • The object to be removed should be removed from the API body when retrieved when using the API GET /policy/api/v1/infra/domains/default/groups/<GroupID>
  • To mitigate this issue, the user can apply NSX tags to VM objects or Segments to make the group dynamic.
Powered by Wolken Software