NSX policy API 'No Matching IPAddressexpression available' error during IP address Add actions
search cancel

NSX policy API 'No Matching IPAddressexpression available' error during IP address Add actions

book

Article ID: 438383

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Automation workflows utilizing the NSX Policy API may encounter intermittent failures when adding IP addresses to a Group. This occurs specifically when a preceding "remove" action has emptied the IPAddressExpression, leading to the deletion of the expression object itself.
  • Error Message:

    No Matching IPAddressexpression available for expression

  • Log nsx-audit-write.log shows the successful removal of the last IP address, which results in the deletion of the expression ID.

    NSX 77689 - [nsx@6876 audit="true" comp="nsx-manager" level="INFO" reqId="<REDACTED_ID>" subcomp="manager" update="true" username="<REDACTED_USER>"] UserName="<REDACTED_USER>", Src="<REDACTED_IP>", ModuleName="Policy", Operation="AddorRemoveGroupIPAddresses", Operation status="success", Old value=[{"expression":[...,{"ip_addresses":["<REDACTED_IP>"],"resource_type":"IPAddressExpression","id":"<REDACTED_ID>", ...}], ...}], New value=["default" "<REDACTED_ID>" "<REDACTED_ID>" {"action":"remove"} {"ip_addresses":["<REDACTED_IP>"]}]

Environment

VMware NSX 4.x

Cause

When using the API POST /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}?action=remove, NSX evaluates the state of the IPAddressExpression post-operation.

  • If other IP addresses remain in the expression, the expression object is preserved.
  • If the last IP address is removed, the IPAddressExpression object is automatically deleted because an empty expression is not valid in the Policy hierarchy.

Subsequent calls to POST /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}?action=add fail because the target expression-id no longer exists.

Resolution

Workflows must verify the existence of the expression before attempting to add addresses to it.

  1. Check Group State: Perform a GET /policy/api/v1/infra/domains/default/groups/{group_id}.
  2. Logic Branching:
    • If the expression ID exists: Proceed with: POST /policy/api/v1/infra/domains/default/groups/{group_id}/ip-address-expressions/{expression_id}?action=add
    • If the expression ID is missing: You must recreate the expression using a PATCH request to the Group instead of the action=add helper: PATCH /policy/api/v1/infra/domains/default/groups/{group_id}
Powered by Wolken Software