New TKGI cluster can't be created because of NSX Error
search cancel

New TKGI cluster can't be created because of NSX Error

book

Article ID: 433201

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

New TKGI cluster can't be created because of NSX Error "Priority already present - XXXXXXXXXXXX"

 

Observations:

  • The customer is unable to create new TKGI clusters due to an NSX firewall error
  • NSX Manager logs show an error: "Priority already present - 9223372036357967068".
  • Creation of new DFW sections in MP also fails; only rule creation in existing policies works.
  • Corfu tables (FirewallConfiguration, FirewallSectionPriority) show duplicate priority IDs.
  • Some entries exist in FirewallSectionPriority but not in FirewallSection.
  • Customer upgraded from nsx 3.2.4 to 4.2.1.4

 

Sample Error Log in nsxapi.logs:

 

Getting Config for id - FirewallConfiguration/e6b33ca8-3e73-11eb-b378-0242ac130003

Error occurred while consuming 26 messages.

Error java.lang.IllegalArgumentException: Priority already present - xxxxxxxxxxxxxxx

Environment

Customer upgraded from NSX 3.2.X to 4.2.X

Cause

FirewallConfiguration.txt

 

There are two sections with the same priority.

 

{

    "entityUuid": {

      "left": "6268088172294982924",

      "right": "13355233986041533070"

    },

    "priority": "9223372036857967068"

  }, {

    "entityUuid": {

      "left": "13957021768680753086",

      "right": "12805234494950509432"

    },

    "priority": "9223372036857967068"

  }

 

FirewallSectionPriority.txt

 

Section 1

 

Payload:

{

  "managedResource": {

    "displayName": "07d260c4-2da3-4b76-a1d6-94042efbb0e9"

  },

  "sectionUuid": {

    "left": "13957021768680753086",

    "right": "12805234494950509432"

  },

  "priority": "9223372036857967068"

}

 

Metadata:

{

  "createTime": "1768295859459",

  "createUser": "system",

  "lastModifiedTime": "1768295859459",

  "lastModifiedUser": "system",

  "productVersion": "4.2.1.4.0"

}

 

Section 2

 

Payload:

{

  "managedResource": {

    "displayName": "67592029-ca68-4741-82d5-2c63ddac8e25"

  },

  "sectionUuid": {

    "left": "6268088172294982924",

    "right": "13355233986041533070"

  },

  "priority": "9223372036857967068"

}

 

Metadata:

{

  "createTime": "1768295755464",

  "createUser": "system",

  "lastModifiedTime": "1768295755464",

  "lastModifiedUser": "system",

  "productVersion": "4.2.1.4.0"

}

 

 

There's a offset of 500000000 for the internal priority which results to

9223372036857967068 - 500000000 = 9223372036357967068

 

That's what the exception complains about

 

2026-01-15T11:08:20.458Z  WARN FIREWALL_UFO_PRIORITY_PROCESSOR-0 AbstractPersistedQueueProcessor 77125 SERVICE [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Error occurred while consuming 20 messages. Error java.lang.IllegalArgumentException: Priority already present - 9223372036357967068, Messages: Msg: left: 10928761187

 

 

The FirewallConfigurationReassignPriorityMigrationTask should be executed during the upgrade to handled all the FW priorities. To make it work, the code change would be required to add 3.2.4 version as well so that the task can get executed during upgrade or migrated to 4.2.x from any of the below versions.

 

name: FirewallConfigurationReassignPriorityMigrationTask

runForTheseFromVersions: 3.2.0,3.2.1,3.2.2,3.2.3,4.0,4.1

Resolution

The change is to make sure the task gets executed for 3.2.x versions for the priority to be updated once the user is on 4.2.4.

Powered by Wolken Software