• Products: Avi Load Balancer (Avi ALB), VMware Cloud Director (VCD)
• Component: Web Application Firewall (WAF) — WAF Profile / WAF Policy
• Provisioning Method: Virtual Service created and managed through VCD

When WAF is activated on a Virtual Service from VCD, VCD automatically creates a new WAF Policy on the Avi Controller based on the VS name. It does not check for or reference any existing WAF Policy that may already be attached to the VS on the Avi Controller.

In this case, a WAF Policy was already present on the Avi Controller and was attached to the VS. On the second attempt to activate WAF from VCD, since a policy with the same name already existed under the same tenant, the Avi Controller rejected the duplicate creation request. This caused a Config_Create failure in the Avi Load Balancer event log and left the WAF profile in an INACTIVE state in VCD.

This behavior is expected. VCD always creates a new WAF Policy object upon activation and does not perform deduplication or reference resolution against existing objects on the Avi Controller.

The issue was resolved by fully cleaning up the existing conflicting objects on the VMware Avi Load Balancer and VCD, then recreating them from scratch:

1. Delete the existing WAF Policy from the Avi Controller.
2. Delete the existing WAF Profile from the Avi Controller.
3. Delete the Virtual Service from VCD.
4. Recreate the Virtual Service in VCD using the same name, VIP and configuration.
5. Activate the WAF policy on the newly created VS from VCD.

After completing these steps, VCD successfully created a new WAF Policy without any naming conflict, and the WAF status transitioned to ACTIVE.

Note: This procedure involves deleting the Virtual Service and will cause a brief service interruption. It is recommended to perform these steps during a planned maintenance window. Ensure all VS configuration details (VIP, pool members, SSL profiles, policies) are documented and exported as backup before deletion.