Frequent Avi WAF "SEC_MGR_DATA_ERROR_EVENT" events for multiple Virtual Services
search cancel

Frequent Avi WAF "SEC_MGR_DATA_ERROR_EVENT" events for multiple Virtual Services

book

Article ID: 434098

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

For virtual services with WAF learning enabled, you may begin to observe event failures for the WAF policy group object.

The events can be found under Operations > Events > All Events 

Event ID: SEC_MGR_DATA_ERROR_EVENT

Event Example:

{
  "report_timestamp": "2026-03-06T17:50:18+00:00",
  "obj_type": "WAFPOLICYPSMGROUP",
  "event_id": "SEC_MGR_DATA_ERROR_EVENT",
  "module": "SEC_MGR",
  "internal": "EVENT_EXTERNAL",
  "context": "EVENT_CONTEXT_APP",
  "obj_uuid": "virtualservice-UUID",
  "obj_name": "VS_NAME",
  "event_details": {
    "sec_mgr_data_event": {
      "name": "virtualservice-UUID:wafpolicy-UUID",
      "error": "vsUUID: virtualservice-UUID appID: virtualservice-UUID:wafpolicy-UUID writestatus: ERROR"
    }
  },
  "related_uuids": [
    "wafpolicypsmgroup-UUID",
    "wafpolicy-UUID"
  ],
  "event_description": "Database transaction failed for SecMgrData.",
  "event_pages": [
    "EVENT_PAGE_VS",
    "EVENT_PAGE_ALL"
  ],
  "tenant": "admin",
  "details_summary": "",
  "ignore_event_details_display": false,
  "is_security_event": false,
  "tenant_name": ""
}

**NOTE**:  The 'report_timestamp' in the event example is in local time to the user, and the timestamps in the log messages are in UTC.  Furthermore, this is an example of the error, the timestamps between the event and logs may differ.

In the security manager logs you will find the following UTF-8 errors:

/var/lib/avi/log/security_mgr.ERROR

2026-03-06T13:50:16.995Z    E  20120      models/avi_utils.go:    Marshalling pb to json failed proto: field ParamInfo.param_key contains invalid UTF-8
2026-03-06T13:50:16.995Z    E  20120      models/avi_utils.go:    Unmarshalling json to map failed unexpected end of JSON input
2026-03-06T13:50:16.916Z	E  10677  	securitymgr/secmgr.go:	Sending event about missed db writes. Current failure count: 1713 for vs: VS_NAME

However you will find that the PSM group updates for the affected Virtual Services are successful in both the security manager logs and Avi portal logs.

/var/lib/avi/log/security_mgr.INFO

2026-03-06T13:52:14.414Z        I  10578        session/avisession.go:       Req for GET uri https://localhost/api/wafpolicypsmgroup/wafpolicypsmgroup-UUID tenant  RespCode 200
2026-03-06T13:52:16.211Z        I  21985        session/avisession.go:       Req for PUT uri https://localhost/api/wafpolicypsmgroup/wafpolicypsmgroup-UUID tenant  RespCode 200
2026-03-06T13:52:16.234Z        I  21985        securitymgr/transact.go:     VS_NAME Transaction [virtualservice-UUID] PSMGROUPUPDATE succeeded in [1] attempt(s)
2026-03-06T13:52:16.234Z        I  21985        securitymgr/secmgr.go:      Clear pending txn for VS vsStUuid=virtualservice-UUID vsStName=VS_NAME
2026-03-06T13:53:14.423Z        I  23499        session/avisession.go:       Req for GET uri https://localhost/api/wafpolicypsmgroup/wafpolicypsmgroup-UUID tenant  RespCode 200
2026-03-06T13:53:16.185Z        I  10673        session/avisession.go:       Req for PUT uri https://localhost/api/wafpolicypsmgroup/wafpolicypsmgroup-UUID tenant  RespCode 200
2026-03-06T13:53:16.207Z        I  10673        securitymgr/transact.go:     VM_NAME Transaction [virtualservice-UUID] PSMGROUPUPDATE succeeded in [1] attempt(s)
2026-03-06T13:53:16.207Z        I  10673        securitymgr/secmgr.go:      Clear pending txn for VS vsStUuid=virtualservice-UUID vsStName=VS_NAME

/var/log/nginx/portal.access.log

127.0.0.1 [cache:-] 127.0.0.1:6004 [-] - T-ID=068d20a973f48accd410c20f730597fb - [06/Mar/2026:13:52:14 +0000] [-] [-] "GET /api/wafpolicypsmgroup/wafpolicypsmgroup-UUID HTTP/1.1" 200 1437064 "https://localhost/" "Go-http-client/1.1" 0.129 0.128 .
127.0.0.1 [cache:-] 127.0.0.1:6004 [-] - T-ID=6c696568541fb0ce758cef90b62518ba - [06/Mar/2026:13:52:16 +0000] [-] [-] "PUT /api/wafpolicypsmgroup/wafpolicypsmgroup-UUID HTTP/1.1" 200 1475371 "https://localhost/" "Go-http-client/1.1" 1.723 1.724 .
127.0.0.1 [cache:-] 127.0.0.1:6004 [-] - T-ID=543a8f93100cf86ad919ffabe46f4abe - [06/Mar/2026:13:53:14 +0000] [-] [-] "GET /api/wafpolicypsmgroup/wafpolicypsmgroup-UUID HTTP/1.1" 200 1441523 "https://localhost/" "Go-http-client/1.1" 0.122 0.120 .
127.0.0.1 [cache:-] 127.0.0.1:6004 [-] - T-ID=81b3957f8e4168861cbb18b8de732b32 - [06/Mar/2026:13:53:16 +0000] [-] [-] "PUT /api/wafpolicypsmgroup/wafpolicypsmgroup-UUID HTTP/1.1" 200 1473455 "https://localhost/" "Go-http-client/1.1" 1.652 1.652 .

Environment

Affects Version(s):

30.2.1 - 30.2.1-2p6

30.2.2 - 30.2.2-2p6

30.2.3 - 30.2.3-2p4

30.2.4 - 30.2.4-2p2

30.2.5 - 30.2.5-2p1

30.2.6

Cause

There is a known issue were the Service Engine sends invalid UTF-8 data to the security manager, this learning data is only for the security manager backup.  When it fails to save into the DB the "SEC_MGR_DATA_ERROR_EVENT" is created.

Resolution

This invalid UTF-8 data issue has been addressed in 31.1.x and 31.2.x versions.  For 30.2.x versions, the fix will included in the next 30.2.x GA release.  

This invalid learning data is only for the security manager backup and does not affect the PSM programming or updates the PSM groups.  This errors do not affect the WAF inspection of application traffic.

ID: AV-232765

Workaround(s):

There are no available workarounds, however, it was confirmed the errors are not impactful and the "SEC_MGR_DATA_ERROR_EVENT" events can be safely ignored.

Additional Information

WAF Learning Documentation: Application Learning for WAF

Powered by Wolken Software