VMware Networking Community
Martin05
Contributor
Contributor
‎11-16-2017 05:18 AM

Error with publishing rule to NSX Edge

Good day,

     could you help me please with issue with publishing rule from Distributed Firewall to NSX Edge?

If I create rule with one IP sets as "Source" and another IP sets as "Destination" and in "Action" I selected "Direction" only "IN" or "OUT" and if I try publish, I can see error below.

pastedImage_6.png

If the "Direction" is for both way "IN/OUT" in rule, the rule was published to NSX Edge correctly.

Thank you for your help

Martin

Tags (1)
Reply
6 Replies
amolnjadhav
Enthusiast
Enthusiast
‎11-17-2017 05:54 AM

Hi,

   it looks to be strange issue or product bug. Which NSX version you trying to publish the rule?

   I have deployed firewall rule with in or out direction but i have not seen any error in NSX 6.2.5

Please consider marking this answer "correct" or "helpful" if you think your query have been answered correctly. Regards Amol Jadhav VCP NSXT | VCP NSXV | VCIX6-NV | VCAP-DCA | CCNA | CCNP - BSCI
Reply
Martin05
Contributor
Contributor
‎11-19-2017 11:05 PM

Hi Amol,

     Thank you for your response.

I have NSX in version: 6.3.3.6276725.

Thank you

Have a nice day

Martin

Reply
0 Kudos
amolnjadhav
Enthusiast
Enthusiast
‎11-20-2017 10:58 PM

Hi Martin,

I have not deployed 6.3.3 version in my environment. I may not be help you in that.

I hope, other members will help you out with your issue..

Please consider marking this answer "correct" or "helpful" if you think your query have been answered correctly. Regards Amol Jadhav VCP NSXT | VCP NSXV | VCIX6-NV | VCAP-DCA | CCNA | CCNP - BSCI
Reply
0 Kudos
Mparayil
Enthusiast
Enthusiast
‎11-22-2017 03:21 PM

Hi Martin,

I tried it on the NSX Version 6.3.1 5124716. I hit the same issue but I have a workaround for this issue.

the issue can be reproduced not only with IP-sets, it is reproducible with any to Any / VM to VM as well when we select IN OR OUT ONLY

Screenshot :

IF you select the check box for Applying the rule to Edge below error pops out

pastedImage_3.png

LOG Sample :

2017-11-22 22:59:42.901 GMT  INFO http-nio-127.0.0.1-7441-exec-6 FirewallFacadeImpl:387 - Starting DTO conversion for section 1003

2017-11-22 22:59:42.909 GMT ERROR http-nio-127.0.0.1-7441-exec-6 FirewallFacadeImpl:153 - Exception :

com.vmware.vshield.app.exception.AppBaseException: vShield App:100103:Invalid direction value : in at index 1,  rule type : LAYER3

        at com.vmware.vshield.firewall.facade.dtoconverter.FirewallRuleDtoConverter.getValidDirection(FirewallRuleDtoConverter.java:524)

        at com.vmware.vshield.firewall.facade.dtoconverter.FirewallRuleDtoConverter.convertToModel(FirewallRuleDtoConverter.java:379)

        at com.vmware.vshield.firewall.facade.dtoconverter.FirewallSectionDtoConverter.convertToModel(FirewallSectionDtoConverter.java:294)

        at com.vmware.vshield.firewall.facade.impl.FirewallFacadeImpl.updateSection_aroundBody20(FirewallFacadeImpl.java:389)

        at com.vmware.vshield.firewall.facade.impl.FirewallFacadeImpl$AjcClosure21.run(FirewallFacadeImpl.java:1)

        at org.springframework.transaction.aspectj.AbstractTransactionAspect.ajc$around$org_springframework_transaction_aspectj_AbstractTransactionAspect$1$2a73e96cproceed(AbstractTransactionAspect.aj:59)

Workaround / Solution :

from the Distributed  Firewall page in the Applied to field instead of selecting "Apply this rule on all Edge gateways" select the Edeg manually and add it as below screenshot eg..

pastedImage_1.png

Rule with Edge only

pastedImage_2.png

Let me know if this helps you you

Reply
Martin05
Contributor
Contributor
‎11-29-2017 05:06 AM

Hi Mparayil,

     I am sorry for delay response. Thank you very much for your tip to solve this issue.

I find in new update for NSX 6.3.5 some information below:

Issue 1496273: UI allows creation of in/out NSX firewall rules that cannot be applied to Edges
The web client incorrectly allows creation of an NSX firewall rule applied to one or more NSX Edges when the rule has traffic traveling in the 'in' or 'out' direction and when PacketType is IPV4 or IPV6. The UI should not allow creation of such rules, as NSX cannot apply them to NSX Edges.

Workaround: None.

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.3/rn/releasenotes_nsx_vsphere_635.html#resolvedi...

It´s looks like we must set direction only IN/OUT but we can´t set only one way. I try this settings and this setting doesn´t mean allowing communication on both way. This only allow communication in same session.

For example:

If I want allow communication from PC1 to PC2 and allow both way IN/OUT in settings and I try ping from PC1 to PC2 this works correctly. But if I try ping from PC2 to PC1 this isn´t work. I must allow communication from PC2 to PC1 in new rule.

Thank you very much for your information

Have a nice day

Martin

Reply
0 Kudos
Mparayil
Enthusiast
Enthusiast
‎11-29-2017 11:34 AM

OK I had a doubt, from the Edge we have one option either IN or OUT we don't see an option for Both Direction, looks like a GUI issue.

Reply
0 Kudos