Good day,
could you help me please with issue with publishing rule from Distributed Firewall to NSX Edge?
If I create rule with one IP sets as "Source" and another IP sets as "Destination" and in "Action" I selected "Direction" only "IN" or "OUT" and if I try publish, I can see error below.
If the "Direction" is for both way "IN/OUT" in rule, the rule was published to NSX Edge correctly.
Thank you for your help
Martin
Hi,
it looks to be strange issue or product bug. Which NSX version you trying to publish the rule?
I have deployed firewall rule with in or out direction but i have not seen any error in NSX 6.2.5
Hi Amol,
Thank you for your response.
I have NSX in version: 6.3.3.6276725.
Thank you
Have a nice day
Martin
Hi Martin,
I have not deployed 6.3.3 version in my environment. I may not be help you in that.
I hope, other members will help you out with your issue..
Hi Martin,
I tried it on the NSX Version 6.3.1 5124716. I hit the same issue but I have a workaround for this issue.
the issue can be reproduced not only with IP-sets, it is reproducible with any to Any / VM to VM as well when we select IN OR OUT ONLY
Screenshot :
IF you select the check box for Applying the rule to Edge below error pops out
LOG Sample :
2017-11-22 22:59:42.901 GMT INFO http-nio-127.0.0.1-7441-exec-6 FirewallFacadeImpl:387 - Starting DTO conversion for section 1003
2017-11-22 22:59:42.909 GMT ERROR http-nio-127.0.0.1-7441-exec-6 FirewallFacadeImpl:153 - Exception :
com.vmware.vshield.app.exception.AppBaseException: vShield App:100103:Invalid direction value : in at index 1, rule type : LAYER3
at com.vmware.vshield.firewall.facade.dtoconverter.FirewallRuleDtoConverter.getValidDirection(FirewallRuleDtoConverter.java:524)
at com.vmware.vshield.firewall.facade.dtoconverter.FirewallRuleDtoConverter.convertToModel(FirewallRuleDtoConverter.java:379)
at com.vmware.vshield.firewall.facade.dtoconverter.FirewallSectionDtoConverter.convertToModel(FirewallSectionDtoConverter.java:294)
at com.vmware.vshield.firewall.facade.impl.FirewallFacadeImpl.updateSection_aroundBody20(FirewallFacadeImpl.java:389)
at com.vmware.vshield.firewall.facade.impl.FirewallFacadeImpl$AjcClosure21.run(FirewallFacadeImpl.java:1)
at org.springframework.transaction.aspectj.AbstractTransactionAspect.ajc$around$org_springframework_transaction_aspectj_AbstractTransactionAspect$1$2a73e96cproceed(AbstractTransactionAspect.aj:59)
Workaround / Solution :
from the Distributed Firewall page in the Applied to field instead of selecting "Apply this rule on all Edge gateways" select the Edeg manually and add it as below screenshot eg..
Rule with Edge only
Let me know if this helps you you
Hi Mparayil,
I am sorry for delay response. Thank you very much for your tip to solve this issue.
I find in new update for NSX 6.3.5 some information below:
Issue 1496273: UI allows creation of in/out NSX firewall rules that cannot be applied to Edges
The web client incorrectly allows creation of an NSX firewall rule applied to one or more NSX Edges when the rule has traffic traveling in the 'in' or 'out' direction and when PacketType is IPV4 or IPV6. The UI should not allow creation of such rules, as NSX cannot apply them to NSX Edges.
Workaround: None.
It´s looks like we must set direction only IN/OUT but we can´t set only one way. I try this settings and this setting doesn´t mean allowing communication on both way. This only allow communication in same session.
For example:
If I want allow communication from PC1 to PC2 and allow both way IN/OUT in settings and I try ping from PC1 to PC2 this works correctly. But if I try ping from PC2 to PC1 this isn´t work. I must allow communication from PC2 to PC1 in new rule.
Thank you very much for your information
Have a nice day
Martin
OK I had a doubt, from the Edge we have one option either IN or OUT we don't see an option for Both Direction, looks like a GUI issue.