Symptoms:
After installing NSX for vSphere 6.3.6, 6.4.1 or 6.4.2 or upgrading from previous versions to NSX for vSphere 6.3.6, 6.4.1 or 6.4.2, when an API call is made by a third party Service Insertion solution to NSX Manager to retrieve all the Static IP sets configured as part of Service Insertion, you see these symptoms:
- The NSX Manager returns an empty config for IPSets or SecurityGroups containing IPSets. As a result, IPSets or SecurityGroups containing IPSets are reported empty to the third party Manager.
- The guest VMs protected by PAN or other third party firewall devices would drop the traffic as no rules match and hit default deny rule.
- Running the API call https://NSXMGR_IP/api/2.0/si/serviceprofile/serviceprofile-10/containerset/ does not return any IPs for IPSets or SecurityGroups containing IPSets.
For example:
"container": [
{
"id": "securitygroup-16",
"vsmUuid": "42080AD5-D890-04C9-31C2-8A457C5588ED",
"name": "Test-Container",
"description": null,
"revision": 11,
"type": "IP",
"generationNumber": 0,
"address": [], <<<< empty
"nicNodes": null,
"universal": false
},