TzahiDev
Contributor
Contributor

Commit operation failed on following vShield(s)

We are getting the message "Commit operation failed on following vShield(s)" on the vShield Manager when trying to update Zone/App firewall rules.

We have 2 ESXi and another machine for vCenter.

Machine A has vShield Manager and vShield App installed.

Machine B has vShield App installed.

The IP for the rest of the message is of machine B: "Commit operation failed on following vShield(s): 130.119.179.7".

We are evaluating the product so I reinstalled everything including the vCenter and the ESXis just to make sure this is not an install issue or some coincedence.

When attempting to commit a firewall rule only machine A is actually commited.

On the vShield Manager web interface it say machine B is "In Sync" and i even "restart"ed it.

We cannot find anything in the KB/Communities/Google about this.

What can be the problem?

0 Kudos
4 Replies
carlosVSZ
VMware Employee
VMware Employee

This usually points to the vShield App not being reachable, either because it's powered off, or there is no network connectiviy. Log in to the vShield App' console and try to ping the vShield Manager do the same from the vShield Manager to ensure basic network connectivity is there.

0 Kudos
TzahiDev
Contributor
Contributor

I have pinged from all VMs involved (apps and manager) and they can all reach each other.

Also, as I have said earlier, they are "In Sync".

One machine is committed when I am committing a firewall rule and the other is not.

In fact, for a few seconds the machine seem to apply the firewall rule when i continuously ping from the protected VM (and it is getting properly blocked) and then after a few seconds it reverts back and the ping is again not getting blocked.

Regards.

0 Kudos
carlosVSZ
VMware Employee
VMware Employee

Try removing all the firewall rules at all levels (datacenter, cluster) from the UI. At this poing both vShield Apps should have identical firewall tables when seen from the CLI. So, open a console to vShield App 1 and run the command show vmwall rules compare that to the output from vShield App2.

Are they exactly the same or is there a rule on one that does not exist on the other?

0 Kudos
TzahiDev
Contributor
Contributor

Before removing the rules, I have looked at the two vShield Apps and compared them. Apparently, the one that keep saying cannot commit, actually have the new rules, it keeps saying it cannot commit. Ok, so i have removed all my rules and the rules that are removable and they are exactly the same but it still says it cannot commit.

You are on to something.

Interestingly though, even though it says it did not commit, if i define an IP based rule, the rule WORKS but if i define a rule with a Security Group it does NOT WORK and i see that the rule is not replicated to the problematic vShield app.

Strange, there might be a bug in the replication mechanism for Security Groups.

0 Kudos