Alarm for gateway_firewall.sr_limit_per_edge_exceeded
Article ID: 369480
Updated On:
Products
Issue/Introduction
Event ID: gateway_firewall.sr_limit_per_edge_exceeded
Added in release: 4.2.1
Alarm Description:
- Purpose: The number of Tier-0/Tier-1 Logical Routers or bridges with Gateway Firewall feature enabled with non zero rules on edge has exceeded the maximum limit.
-
Impact : Dataplane functions may be impacted due to high scale. Increased time for configuration to get realized.
Environment
VMware NSX 4.2.1 and above
Cause
There are more Tier-0 or Tier-1 gateways configured than the Edge Form Factor maximum.
Note: For optimal performance and throughput, it is recommended to follow the guidelines below based on NSX 4.2.1 Configuration Limits.
| Edge Form Factor | Max number of Gateway Firewalls | Description |
| Medium | 5 |
Deployed either as T0, T1 or Bridge mode on the same edge node. Note: TLS Inspection or Advanced Threat Prevention (ATP) features cannot be enabled on Gateway Firewalls deployed on a Medium Edge node. |
| Large or Extra Large | 100 |
Can be a combination of either T0, T1, or Bridges. Note: Only 10 Gateway Firewalls can be deployed per Large Edge Node with Advanced Threat Prevention (ATP) features activated. |
| Baremetal | 100 |
Can be a combination of either T0, T1, or Bridges. Note: Only 25 Gateway Firewalls can be deployed per Baremetal Edge Node with Advanced Threat Prevention (ATP) features activated. |
Resolution
Reduce the number of gateways configured on the edge node. Map additional gateways to a new edge in the cluster.
Disable the Gateway Firewall feature on the Tier-0/Tier-1 Gateway or Bridge if only the System Default rules are present and no user-defined rules are configured.
Additional Information
There is a known issue with this alarm that may lead to a false positive trigger. This is documented under KB KB#382701.
Feedback
