VMware Networking Community
Marcin4
Enthusiast
Enthusiast
Jump to solution

NSX - Guest Introspection, Firewall - AD

So i've notice a problem with Identity Firewall.

My NSX is connected to Active Directory domain.

I've created Security Group using Service Composer.

Security Group consist of Directory Group "Administrators", when I clint on the created Security Group it wont refresh and I cant see users.

The TAB Virtual Machines wont stop refreshing and there's no result.

Does anyone had that problem ?

nsx04.jpg

nsx01.jpg

Best Regards

Marcin Gwóźdź

Best Regards
Marcin Gwóźdź
VCP-NV 6, VCIX-DCV 7, VCIX-DTM 7.
linkedin.com/in/marcin-gwóźdź-80b84b122
Tags (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
RaymundoEC
VMware Employee
VMware Employee
Jump to solution

well, my bad on logs, please check this link :

Identity Firewall

also, check this link from the AD side:

https://girl-germs.com/?p=1538

if you have access to myVMware open a TSR what I read the GSS has lots of tricks to look under.

hope this helps.

+vRay

View solution in original post

Reply
0 Kudos
6 Replies
RaymundoEC
VMware Employee
VMware Employee
Jump to solution

check identity source, it happens that if you have lots of objects it hangs so what I usually do is to set specific UO on AD structure so for example instead of loading all the base of *.corp.com you can set something like  administrators-it under administrators, other things to check is the windows admin server logs and check if something gets stucks on the AD side when you hit to select the creation of SG in NSX.

hope this helps.

+vRay
Reply
0 Kudos
Marcin4
Enthusiast
Enthusiast
Jump to solution

Hello,

Thank you for your advice.

So I have created a Secuirty Group "Test" with Included Object Directory Group "NSX_TEST", That group has only one user member.

nsx001.jpg

But the problem still exist, and that thing still wont stop rolling.

nsx002.jpg

Is it a bug ?

Best Regards

Marcin Gwóźdź

Best Regards
Marcin Gwóźdź
VCP-NV 6, VCIX-DCV 7, VCIX-DTM 7.
linkedin.com/in/marcin-gwóźdź-80b84b122
Reply
0 Kudos
RaymundoEC
VMware Employee
VMware Employee
Jump to solution

could just be sure check logs on this location on tail -f /var/log/dfwpktlogs.log and check if something is painting there.

+vRay
Reply
0 Kudos
Marcin4
Enthusiast
Enthusiast
Jump to solution

Well,

There is a lot of logs:

For example:

2019-06-06T05:59:56.801Z 36787 INET TERM domain-c47/1016 IN TCP TIMEOUT 10.0.0.7/60499->10.0.210.14/445 1/0 52/0

2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/34420->10.0.210.13/443 10/0 1904/0

2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/54444->10.0.210.12/443 10/0 1904/0

2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/34426->10.0.210.13/443 9/0 1802/0

2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/54450->10.0.210.12/443 10/0 1842/0

2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/54452->10.0.210.12/443 10/0 1929/0

2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/34434->10.0.210.13/443 10/0 1929/0

2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/54458->10.0.210.12/443 11/0 1998/0

2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/34440->10.0.210.13/443 10/0 1958/0

2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP RST 10.0.210.10/48480->10.0.210.12/9080 11/0 2572/0

What kind of log should I look for ?

Best Regards

Marcin Gwóźdź

Best Regards
Marcin Gwóźdź
VCP-NV 6, VCIX-DCV 7, VCIX-DTM 7.
linkedin.com/in/marcin-gwóźdź-80b84b122
Reply
0 Kudos
RaymundoEC
VMware Employee
VMware Employee
Jump to solution

well, my bad on logs, please check this link :

Identity Firewall

also, check this link from the AD side:

https://girl-germs.com/?p=1538

if you have access to myVMware open a TSR what I read the GSS has lots of tricks to look under.

hope this helps.

+vRay
Reply
0 Kudos
Marcin4
Enthusiast
Enthusiast
Jump to solution

Well, thank you for all help Smiley Happy

Best Regards
Marcin Gwóźdź
VCP-NV 6, VCIX-DCV 7, VCIX-DTM 7.
linkedin.com/in/marcin-gwóźdź-80b84b122
Reply
0 Kudos