VMware Networking Community
carboncopy
Contributor
Contributor
‎06-06-2018 12:45 PM

VMware Distributed Power Management (DPM) and VMware NSXV - Firewall Rule Publishing

Hello,

I recently got NSX 6.4.1 deployed in my lab and I plan to keep it there for the long run.

I have 6 servers in my lab running 6.7 of vSphere/vCenter (2x ESXi in Management Cluster, 4x ESXi in Compute Cluster) and heavily rely on DPM so that when I am not using too many resources, my unused servers power down. Both of the servers in my management cluster are always on, but in the compute cluster, I usually have one or two of the four servers on (managed by DPM).

Yesterday I was doing testing of micro segmentation via security groups. I added a new firewall rule and when I tried to publish it, it hung for a while and eventually failed. When I looked at the error, it appeared to have happened because three of the four compute nodes were asleep. I disabled DPM to force the servers that were sleeping to start again and then re-published the policy. That time I had no errors and the rules were published succesfully.

I aware that I can modify the scope of my firewall rules so that it only impacts specific resources, but that is not scalable being that I would have to modify the rule once again once a server is up. I am wondering if there is a way to successfully publish firewall rules in NSX when one or more ESXi server that are part of the cluster are asleep/down and then when the hosts are back up (woken up by DPM), they sync up and get the latest firewall policy.

Thanks!

0 Kudos
3 Replies
rajeevsrikant
Expert
Expert
‎06-07-2018 05:15 PM

Are you getting error message like the below in the v Center under Firewall.

pastedImage_0.png

0 Kudos
carboncopy
Contributor
Contributor
‎06-08-2018 09:04 AM

Yes, it is similar to that. When I click on it to get more information it says it failed on all hosts.

0 Kudos
rajeevsrikant
Expert
Expert
‎06-10-2018 07:00 PM

This is a normal behavior which I have faced in my production environment.

In case if any host which is under the NSX Firewall, is shutdown or goes into some maintenance, when the new firewall policies are pushed we get the error message show in the earlier communication.

the firewall was not able to push the updated firewall policies & that's the reason it shown the alert in the GUI.

when the host comes back, the firewall policies are automatically pushed & the hosts get the policies. ( No need to do any manual actions to push the firewall configurations)

After this the error messages is not shown.

This is the normal behavior.

0 Kudos