Tier-0 VRF displays "FAILED" status with error: "Subnet should not overlap with other logical router port of same logical router"
search cancel

Tier-0 VRF displays "FAILED" status with error: "Subnet should not overlap with other logical router port of same logical router"

book

Article ID: 426350

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

When managing Segments or Tier-0 VRFs in NSX, you observe the following:

  • The Tier-0 VRF status is reported as FAILED in the NSX Manager UI.

  • Alarms are generated regarding overlapping subnets or EVPN VNI mismatches.

  • Error messages similar to the following appear under /var/log/proton/nsxapi.log

Feb ##, ####, 10:##:00 AM : [error_code=10048, module_name=ROUTING, error_message='[Routing] Subnet should not overlap with other logical router port of same logical router. Subnet [#.1.#.0/24] overlaps with logical router port(s) [LrPort/caa3d734-####-4d6b-####-d358fd6a07d7].', error_code=10199, module_name=ROUTING, error_message='[Routing] LR Port LrPort/b71ef1c1-####-4075-####-e1b835c5eb4a is attached to a logical switch LogicalSwitch/63efb452-####-4696-####-fe643bafa6d7 with type of EVPN. The logical router LogicalRouter/5abdcb55-####-4549-####-2e3aff4bf574 need to be a VRF with L2 VNI the same as logical switch VNI 8#,##1.']

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

 

Environment

VMware NSX

Cause

When creating a segment and attach to a Tier0 or Tier0 VRF, it hits realization error such as “Subnet should not overlap with other logical router port of same logical router”. This doesn’t set the extended attribute of the connected path of Tier0 in the RZ segment. Later when deleting the segment, it skipped to delete the RZ logical router port and alarm.

Resolution

This issue is addressed in NSX releases  4.2 & 9.0.

Please ensure you are running a supported version. If the stale objects persist, follow the workaround below to manually prune the realized state.

Workaround

To resolve the "FAILED" status, you must manually delete the stale GPRR (Global Policy Realized Resource) and Alarm objects using the NSX Policy API.

Step-by-Step Execution:

  1. Identify the Segment ID and the Alarm ID from the error message or the NSX Manager UI.

  2. Use a REST API client (such as Postman or cURL) to run the following cleanup command:

API Endpoint: POST https://<NSX-Manager-IP>/policy/api/v1/troubleshooting/infra/tree/realization?action=cleanup

Request Body:

{
    "paths":[
        "/infra/realized-state/enforcement-points/default/logical-ports/{segmentId}-dlrp",
        "/infra/realized-state/enforcement-points/default/logical-ports/{segmentId}-dlrp/alarms/{alarmId}"
   ]
}

Note: Replace {segmentId} and {alarmId} with the actual UUIDs identified in your environment.

  1. After running the API, wait a few minutes for the management plane to resync and verify if the Tier-0 VRF status returns to SUCCESS.

Powered by Wolken Software