MP to Policy migration for TAS fails in post-import actions for NAT rules.
The log reports the list of resources for which post-import actions were being processed, but the error description simply mentions a 'policy_id' attribute.

MP2P log snippet:

[ERROR 2026-04-04T14:51:28Z]: Encountered error while running post import actions for NATRules resource_ids

The migration operation fails and cannot be completed until the issue is resolved. There is, however, no impact on the TAS foundation. Rollback is completed, and NCP keeps operating in MP mode.

VMware NSX

Tanzu TAS

This issue is caused by unexpected NAT rules associated with the TAS foundation.
"Unexpected" here could either be stale rules that were not deleted due to some previous issue with NCP or NSX, or rules that were created or modified out-of-band by the customer.

The MP2P process for TAS will promote these rules to policy, but it will not be able to establish a 'policy_id' for them since the match_source_network CIDR won't match any CIDR currently in use by the TAS foundation. It is indeed expected that the match_source_network CIDR matches the IP pool in use by one of the foundation's logical switches.

While the NSX object promotion API will promote a rule without an explicit 'policy_id' - creating a random UUID for it - the subsequent post-import process, which adapts promoted NAT rules to work with NCP in policy mode, will fail as it expects this attribute to be present for each promoted rule.

1) Identify "offending" NAT rules. To this aim, parse the items in the Python array dumped in the error message after 'resource_ids'. Each item in this array is a dict. The offending NAT rules are those whose dict does not have a 'policy_id' attribute.
2) Delete these rules and retry the migration.
3) If unsure about whether the NAT rules can be deleted or not, remove the tag with scope ncp/cluster from the rule. This will ensure this NAT rule is not considered for the migration. Retry the migration.

Rule deletion and tag editing might not be possible if the TAS foundation is configured to use an NSX principal identity. In this case, proceed with NSX API call using the X-Allow-Overwrite:True header.