Rule Configuration failure is observed when multiple ports are configured for ALG Service
search cancel

Rule Configuration failure is observed when multiple ports are configured for ALG Service

book

Article ID: 325126

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • Rule configuration on the DFW fails.
  • The status on the MP is Rule Publish Failure for the hosts in question.
  • The API reports the status similar to:

    API Status 

    <hostStatus>
    <hostId>host-569096</hostId>
    <hostName>example.local</hostName>
    <status>publish_failed</status>
    <errorMessage>errorcode.301034</errorMessage>
    <errorCode>301034</errorCode>
    <startTime>1548839862774</startTime>
    <endTime>1549367457383</endTime>
    <generationNumber>1548839861809</generationNumber>
    <clusterId>domain-c7</clusterId>
    <generationNumberObjects>1549350096435</generationNumberObjects>
    </hostStatus
     
  • In the /var/log/vsfwd.log file of the ESXi host, you see entries similar to:

    2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22
    2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503ea0ff-2248-8d8c-57b1-9a15912e0c0f.002
    2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22
    2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503ea0ff-2248-8d8c-57b1-9a15912e0c0f.001
    2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22
    2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503ea0ff-2248-8d8c-57b1-9a15912e0c0f.000
    2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22
    2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503e8715-9a5a-219f-3240-3181901f6361.000
    2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22
    2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503e7213-7735-a717-4e61-72dea359e1bd.000
    2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22
    2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 501659d1-6df1-2be5-02bb-e893ea52e754.000
    2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22
    2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503e82f1-e291-c0d2-7f5d-0f76cf54ad5b.000
    2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22
    2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503e7fc0-13d4-44ff-20c6-9b461e4ac44
     
  • In the /var/log/vmkernel.log file of the ESXi host, you see entries similar to:

    2019-02-05T12:02:15.750Z cpu36:27543657)VSIPFixRuleCtrlPort: unsupported dst port op 10 for dynamic rule!
    2019-02-05T12:02:15.750Z cpu36:27543657)pf_rollback_rules: rs_num: 1, anchor: domain-c7
    2019-02-05T12:02:15.750Z cpu36:27543657)pf_rollback_rules: rs_num: 2, anchor: domain-c7
    2019-02-05T12:02:15.750Z cpu36:27543657)pf_rollback_rules: rs_num: 4, anchor: domain-c7
    2019-02-05T12:02:15.756Z cpu36:27543657)VSIPFixRuleCtrlPort: unsupported dst port op 10 for dynamic rule!
    2019-02-05T12:02:15.756Z cpu36:27543657)pf_rollback_rules: rs_num: 1, anchor: domain-c7
    2019-02-05T12:02:15.756Z cpu36:27543657)pf_rollback_rules: rs_num: 2, anchor: domain-c7
    2019-02-05T12:02:15.756Z cpu36:27543657)pf_rollback_rules: rs_num: 4, anchor: domain-c7
    2019-02-05T12:02:15.761Z cpu36:27543657)VSIPFixRuleCtrlPort: unsupported dst port op 10 for dynamic rule!
    2019-02-05T12:02:15.761Z cpu36:27543657)pf_rollback_rules: rs_num: 1, anchor: domain-c7
    2019-02-05T12:02:15.761Z cpu36:27543657)pf_rollback_rules: rs_num: 2, anchor: domain-c7
    2019-02-05T12:02:15.761Z cpu36:27543657)pf_rollback_rules: rs_num: 4, anchor: domain-c7
    2019-02-05T12:02:15.766Z cpu36:27543657)VSIPFixRuleCtrlPort: unsupported dst port op 10 for dynamic rule!
    2019-02-05T12:02:15.766Z cpu36:27543657)pf_rollback_rules: rs_num: 1, anchor: domain-c7
    2019-02-05T12:02:15.766Z cpu36:27543657)pf_rollback_rules: rs_num: 2, anchor: domain-c7
    2019-02-05T12:02:15.766Z cpu36:27543657)pf_rollback_rules: rs_num: 4, anchor: domain-c7
    2019-02-05T12:02:15.772Z cpu36:27543657)VSIPFixRuleCtrlPort: unsupported dst port op 10 for dynamic rule!

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware NSX Data Center for vSphere 6.4.x

Cause

This issue occurs because while configuring FW Rules for ALG services such as FTP/ ORACLE/SUNRPC/DCERPC, multiple ports have been specified. It is not supported to specifiy multiple ports for a single ALG firewall rule.

For example:

rule 1000 at 0 inout protocol tcp from addrset ip-securitygroup-100 to addrset ip-securitygroup-200 port {1521, 1522, 1525} with attribute addrset attr_1000_1_APP_ID accept as oracle;

Resolution

This issue is resolved in VMware NSX for vSphere 6.4.5, available at VMware Downloads.


Workaround:
To work around this issue, specify only 1 port per ALG service.

For example:

rule 1000 at 0 inout protocol tcp from addrset ip-securitygroup-100 to addrset ip-securitygroup-200 port 1521 with attribute addrset attr_1000_1_APP_ID accept as oracle;
rule 1001 at 0 inout protocol tcp from addrset ip-securitygroup-100 to addrset ip-securitygroup-200 port 1522 with attribute addrset attr_1000_1_APP_ID accept as oracle;
rule 1002 at 0 inout protocol tcp from addrset ip-securitygroup-100 to addrset ip-securitygroup-200 port 1525 with attribute addrset attr_1000_1_APP_ID accept as oracle;

Powered by Wolken Software