Search the VMware Knowledge Base (KB)
View by Article ID

Publishing Identity Firewall rule fails (2150286)

  • 0 Ratings

Symptoms

In the NSX for vSphere environment with Identity Firewall:

  • Publishing Firewall rules fail or stuck in progress.
  • In the NSX Manager Management Service Log vsm.log file, you see entries similar to:

    INFO TaskFrameworkExecutor-XX NotificationProcessor:428 - Processing Context domain-cX : X rule updates, X/X container updates, X spoofguard updates, X timer updates.
    INFO TaskFrameworkExecutor-XX FirewallInstallManagerImpl:317 - Firewall Enabled for cluster domain-cX
    INFO TaskFrameworkExecutor-XX AbstractTranslationDao:148 - Retrieving Nodes using For DynamicCriteria
    INFO TaskFrameworkExecutor-XX AbstractTranslationDao:170 - Retrieved XXX nodes for X criteria
    ERROR TaskFrameworkExecutor-XX FirewallMessagingManager:165 - Exception while publishing container set to cluster: domain-cX.
    java.lang.NullPointerException at com.vmware.vshield.vsm.securitygroup.service.translate.target.IpNodeTargetTranslator.intersection(IpNodeTargetTranslator.java:161)
    at com.vmware.vshield.vsm.dynamicmembership.service.translate.DynamicSetTranslator.getConjunctedNodes(DynamicSetTranslator.java:336)
    at com.vmware.vshield.vsm.dynamicmembership.service.translate.DynamicSetTranslator.evaluateSets(DynamicSetTranslator.java:266)
    at com.vmware.vshield.vsm.dynamicmembership.service.translate.DynamicSetTranslator.translateInternal(DynamicSetTranslator.java:131)
  • In the ESXi hosts, rules or address sets are not updated or empty.

    To view rules and address sets on ESXi CLI, run the summarize-dvfilter and vsipioctl command.

    1. Identify VM's dvfilter by running summarize-dvfilter command.

      For Example:
      $ summarize-dvfilter
      You see the output similar to:

      world 53259 vmm0:VMName vcUuid:'50 24 b8 94 ed fd 4c 55-0a 26 fe 4a 2d 6b ff 52'
      port 100663303 VMName .eth0 <---- This is vNIC
      vNic slot 2
      name: nic-XXXXX-eth0-vmware-sfw.2 <--- This is DVFilter Name
      agentName: vmware-sfw <--- This should be "vmware-sfw" for DFW
      state: IOChain Attached
      vmState: Detached
      failurePolicy: failClosed
      slowPathID: none


      Note: Make a note of the DVFilter name.

    2. View the rules using <DVFilter Name> noted in the Step #1 by running the vsipioctl getrules command:

      For Example:
      $ vsipioctl getrules -f DVFilter Name
      You see the output similar to:

      ruleset domain-cX 
      {
      # Filter rules
      rule 1016 at 1 inout protocol tcp from addrset ip-securitygroup-XX to addrset ip-securitygroup-XX port 22 drop with log;
      rule 1011 at 2 inout protocol tcp from addrset ip-securitygroup-XX to any port 21 drop as ftp;
      # internal # rule 1011 at 3 inout protocol tcp from addrset ip-securitygroup-XX to any port 21 drop;
      # internal # rule 1011 at 4 inout protocol tcp from any to addrset ip-securitygroup-XX port 21 drop;
      rule 1003 at 5 inout protocol ipv6-icmp icmptype 136 from any to any accept;
      rule 1003 at 6 inout protocol ipv6-icmp icmptype 135 from any to any accept;
      rule 1002 at 7 inout protocol udp from any to any port 67 accept;
      rule 1002 at 8 inout protocol udp from any to any port 68 accept;
      rule 1001 at 9 inout protocol any from any to any accept;
      }


    3. View the address sets using <DVFilter Name> noted in Step # 1 by running vsipioctl getaddrsets command:

      For Example:
      $ vsipioctl getaddrsets -f DVFilter Name
      You see the output similar to:

      addrset ip-securitygroup-XX 
      {
      }

      Note: Output should contain IP address of logged in user when you configure Identity Firewall.

Cause

This issue occurs when one of security groups is configured with dynamic membership definition, criteria match is set to All and Criteria details contain multiple rows with at least one entity belonging to directory group.

Resolution

This issue is resolved in VMware NSX for vSphere 6.3.2, available at VMware Downloads.

To work around this issue if you do not want to upgrade
, edit the security group dynamic membership definition and set criteria match to Any or remove entities belonging to directory group.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: