Service Router Limit Per Edge Exceeded alarm is generated when support limit is not reached in NSX 4.2.1.X.
search cancel

Service Router Limit Per Edge Exceeded alarm is generated when support limit is not reached in NSX 4.2.1.X.

book

Article ID: 382701

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

  • VMware NSX is in use with the Gateway Firewall enabled.
  • Alarms are generated for "Service Router Limit Per Edge Exceeded" even though the limit is under the maximum allowed.
  • An example of one of these alarms can be seen below:

The number of T0/T1 Service routers 4 or bridges 0 with Gateway Firewall features enabled on edge XXX-XXX-XXX has exceeded the maximum threshold of 98%. Maximum number of Service routers and bridges supported with Gateway Firewall feature enabled is 5.

  • The limit for a medium edge node is 5. The above alarm states a combined total of service routers and bridges using the firewall service is 4. The limit has not been exceeded yet the alarm seen in the UI.

Environment

VMware NSX 4.2.1.X

Cause

This is a known issue with the Event ID: gateway_firewall.sr_limit_per_edge_exceeded which was introduced in VMware NSX 4.2.1.

Note: For optimal performance and throughput, it is recommended to follow the guidelines below based on NSX 4.2.1 Configuration Limits.

Edge Form Factor Max number of Gateway Firewalls Description
Medium 5

Deployed either as T0, T1 or Bridge mode on the same edge node.

Note: TLS Inspection or Advanced Threat Prevention (ATP) features cannot be enabled on Gateway Firewalls deployed on a Medium Edge node.
Large or Extra Large 100

Can be a combination of either T0, T1, or Bridges.

Note: Only 10 Gateway Firewalls can be deployed per Large Edge Node with Advanced Threat Prevention (ATP) features activated.
Baremetal 100

Can be a combination of either T0, T1, or Bridges.

Note: Only 25 Gateway Firewalls can be deployed per Baremetal Edge Node with Advanced Threat Prevention (ATP) features activated.

 

Resolution

This is a known issues impacting VMware NSX 4.2.1.X and fixed in version 4.2.2.1 and 9.x.

Additional Information

Workaround: Suppress or disable the alarm if it is triggered while your T0/T1/Bridge with GFW enabled are within the specified limits.

Powered by Wolken Software