Distributed Firewall (DFW) rules fail to process traffic even after successfully publishing the rules in VMware NSX for vSphere 6.x
search cancel

Distributed Firewall (DFW) rules fail to process traffic even after successfully publishing the rules in VMware NSX for vSphere 6.x

book

Article ID: 339045

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
    • Publishing Distributed Firewall rules succeeds, but blocking network traffic fails
    • Creating a distributed router instance fails
    • In the RMQ logs that is included in the NSX log bundle, you see entries similar to:

      =ERROR REPORT==== 16-Jun-2015::22:43:18 ===
      closing AMQP connection <0.10555.705> (10.12.96.40:57237 -> 10.12.96.190:5671):
      {handshake_error,starting,0,
      {amqp_error,access_refused,
      "PLAIN login refused: user 'uw-host-150' - invalid credentials",
      'connection.start_ok'}}

    • In the /var/log/vsfwd.log file on the ESXi host, you see entries similar to:

      2015-06-16T22:35:04Z vsfwd: [ERROR] Failed to log on to broker 10.12.96.190:5671: Logging in: Input/output error

    • In the /home/secureall/secureall/logs/vsm.log file on the vShield/NSX Manager, you see entries similar to:

      2015-06-16 22:48:57.535 GMT ERROR HeartbeatManagerHeartbeatTimer HeartbeatManager$HeartbeatTask:297 - Client has not responded to the heartbeat for longer than the alert threshold. Peer name = 'com.vmware.vshield.userworld', client token = 'host-1837', client id = '4f61c5d3-15cb-4a2d-9a0c-15c32dd2b276', last heartbeat response = '20557', last published heartbeat = '23507'

      Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


    Environment

    VMware NSX for vSphere 6.1.x
    VMware NSX for vSphere 6.0.x

    Cause

    This issue occurs when one or more ESXi hosts netcpa module fail to establish a connection with the NSX Manager RMQ server which is a connection that handles all management operations.

    Resolution

    To resolve this issue, ensure that the host profile that is applied to the ESXi hosts is configured as recommended. For more information, see Deploying VXLAN through Auto Deploy and VMware NSX for vSphere 6.x (2092871).

    Additional Information

    Deploying VMware NSX for vSphere 6.x through Auto Deploy
    Distributed Firewall (DFW) ルールが VMware NSX for vSphere 6.x で正常に発行された後でも、トラフィックの処理に失敗する
    Distributed Firewall (DFW) 规则即使已在 VMware NSX for vSphere 6.x 中成功发布也无法处理流量

    Powered by Wolken Software