• The environment was upgrade from VMware NSX-T 3.2.4 to VMware NSX 4.2.1.X
• When attempting to deploy new VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) clusters after an upgrade to NSX 4.2.1.X, the process fails during the Distributed Firewall (DFW) section creation.
• Unable to create new Distributed Firewall (DFW) sections via the Management Plane (MP) API or UI 
• NSX Manager log var/log/nsxapi.log shows the following error:

2026-01-15T11:08:20.458Z  WARN FIREWALL_UFO_PRIORITY_PROCESSOR-0 AbstractPersistedQueueProcessor 77125 SERVICE [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Error occurred while consuming 20 messages. Error java.lang.IllegalArgumentException: Priority already present - 9223372036357967068, Messages: Msg: left: 10928761187

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment.

VMware NSX 4.2.1.x (upgraded from NSX-T 3.2.x)
VMware vDefend Firewall
VMware TKGI 1.22.x
VMware NSX-T Container Plugin (NCP) 4.2.1.x

This issue is caused by duplicate entries in the NSX firewall tables. To confirm, validate the following tables:

Gather table data by running the below command from root of an NSX manager:

/opt/vmware/bin/corfu_tool_runner.py -o showTable -n nsx -t firewallConfiguration

Note duplicate entityUuids have the same priority:

{

    "entityUuid": {

      "left": "6268088172294982924",

      "right": "13355233986041533070"

    },

    "priority": "9223372036857967068"

  }, {

    "entityUuid": {

      "left": "13957021768680753086",

      "right": "12805234494950509432"

    },

    "priority": "9223372036857967068" 

  }

Similarly, checking the NSX FirewallSectionPriority table we can see the same duplicate entries:

/opt/vmware/bin/corfu_tool_runner.py -o showTable -n nsx -t FirewallSectionPriority 

• First Section:

{

  "managedResource": {

    "displayName": "07d260c4-2da3-4b76-a1d6-94042efbb0e9"

  },

  "sectionUuid": {

    "left": "13957021768680753086",

    "right": "12805234494950509432"

  },

  "priority": "9223372036857967068"

}

• Second Section:

{

  "managedResource": {

    "displayName": "67592029-ca68-4741-82d5-2c63ddac8e25"

  },

  "sectionUuid": {

    "left": "6268088172294982924",

    "right": "13355233986041533070"

  },

  "priority": "9223372036857967068"

}

NSX expects there is be an offset for the internal priority. As NSX attempts to create two sections with the same priority the operation fails.

Fixed in release 4.2.4 and higher. See Download Broadcom products and software for steps to download this release."

Workaround: A script is run pre upgrade or post upgrade to clean-up stale entries and duplicates. Contact Broadcom support and note this Article ID (433201) for assistance.

To be updated on the status of this issue, subscribe to this article. See How to subscribe to a Knowledge Management (KM) article.