In the /var/log/vsfwd.log file of the ESXi host, you see entries similar to:
2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22 2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503ea0ff-2248-8d8c-57b1-9a15912e0c0f.002 2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22 2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503ea0ff-2248-8d8c-57b1-9a15912e0c0f.001 2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22 2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503ea0ff-2248-8d8c-57b1-9a15912e0c0f.000 2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22 2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503e8715-9a5a-219f-3240-3181901f6361.000 2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22 2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503e7213-7735-a717-4e61-72dea359e1bd.000 2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22 2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 501659d1-6df1-2be5-02bb-e893ea52e754.000 2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22 2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503e82f1-e291-c0d2-7f5d-0f76cf54ad5b.000 2019-02-05T12:02:15Z vsfwd: [WARN] ioctl failed, errno=22 2019-02-05T12:02:15Z vsfwd: [WARN] Failed to apply RuleSet 1549368134646 for vnic 503e7fc0-13d4-44ff-20c6-9b461e4ac44
In the /var/log/vmkernel.log file of the ESXi host, you see entries similar to:
2019-02-05T12:02:15.750Z cpu36:27543657)VSIPFixRuleCtrlPort: unsupported dst port op 10 for dynamic rule! 2019-02-05T12:02:15.750Z cpu36:27543657)pf_rollback_rules: rs_num: 1, anchor: domain-c7 2019-02-05T12:02:15.750Z cpu36:27543657)pf_rollback_rules: rs_num: 2, anchor: domain-c7 2019-02-05T12:02:15.750Z cpu36:27543657)pf_rollback_rules: rs_num: 4, anchor: domain-c7 2019-02-05T12:02:15.756Z cpu36:27543657)VSIPFixRuleCtrlPort: unsupported dst port op 10 for dynamic rule! 2019-02-05T12:02:15.756Z cpu36:27543657)pf_rollback_rules: rs_num: 1, anchor: domain-c7 2019-02-05T12:02:15.756Z cpu36:27543657)pf_rollback_rules: rs_num: 2, anchor: domain-c7 2019-02-05T12:02:15.756Z cpu36:27543657)pf_rollback_rules: rs_num: 4, anchor: domain-c7 2019-02-05T12:02:15.761Z cpu36:27543657)VSIPFixRuleCtrlPort: unsupported dst port op 10 for dynamic rule! 2019-02-05T12:02:15.761Z cpu36:27543657)pf_rollback_rules: rs_num: 1, anchor: domain-c7 2019-02-05T12:02:15.761Z cpu36:27543657)pf_rollback_rules: rs_num: 2, anchor: domain-c7 2019-02-05T12:02:15.761Z cpu36:27543657)pf_rollback_rules: rs_num: 4, anchor: domain-c7 2019-02-05T12:02:15.766Z cpu36:27543657)VSIPFixRuleCtrlPort: unsupported dst port op 10 for dynamic rule! 2019-02-05T12:02:15.766Z cpu36:27543657)pf_rollback_rules: rs_num: 1, anchor: domain-c7 2019-02-05T12:02:15.766Z cpu36:27543657)pf_rollback_rules: rs_num: 2, anchor: domain-c7 2019-02-05T12:02:15.766Z cpu36:27543657)pf_rollback_rules: rs_num: 4, anchor: domain-c7 2019-02-05T12:02:15.772Z cpu36:27543657)VSIPFixRuleCtrlPort: unsupported dst port op 10 for dynamic rule!
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware NSX Data Center for vSphere 6.4.x
Cause
This issue occurs because while configuring FW Rules for ALG services such as FTP/ ORACLE/SUNRPC/DCERPC, multiple ports have been specified. It is not supported to specifiy multiple ports for a single ALG firewall rule.
For example:
rule 1000 at 0 inout protocol tcp from addrset ip-securitygroup-100 to addrset ip-securitygroup-200 port {1521, 1522, 1525} with attribute addrset attr_1000_1_APP_ID accept as oracle;
Resolution
This issue is resolved in VMware NSX for vSphere 6.4.5, available at VMware Downloads.
Workaround: To work around this issue, specify only 1 port per ALG service.
For example:
rule 1000 at 0 inout protocol tcp from addrset ip-securitygroup-100 to addrset ip-securitygroup-200 port 1521 with attribute addrset attr_1000_1_APP_ID accept as oracle; rule 1001 at 0 inout protocol tcp from addrset ip-securitygroup-100 to addrset ip-securitygroup-200 port 1522 with attribute addrset attr_1000_1_APP_ID accept as oracle; rule 1002 at 0 inout protocol tcp from addrset ip-securitygroup-100 to addrset ip-securitygroup-200 port 1525 with attribute addrset attr_1000_1_APP_ID accept as oracle;