6 Replies Latest reply on Jun 6, 2019 11:14 PM by Marcin4

    NSX - Guest Introspection, Firewall - AD

    Marcin4 Enthusiast

      So i've notice a problem with Identity Firewall.

       

      My NSX is connected to Active Directory domain.

       

      I've created Security Group using Service Composer.

       

      Security Group consist of Directory Group "Administrators", when I clint on the created Security Group it wont refresh and I cant see users.

      The TAB Virtual Machines wont stop refreshing and there's no result.

       

      Does anyone had that problem ?

      nsx04.jpg

      nsx01.jpg

       

      Best Regards

      Marcin Gwóźdź

        • 1. Re: NSX - Guest Introspection, Firewall - AD
          RaymundoEC Hot Shot
          vExpertVMware Employees

          check identity source, it happens that if you have lots of objects it hangs so what I usually do is to set specific UO on AD structure so for example instead of loading all the base of *.corp.com you can set something like  administrators-it under administrators, other things to check is the windows admin server logs and check if something gets stucks on the AD side when you hit to select the creation of SG in NSX.

           

          hope this helps.

          • 2. Re: NSX - Guest Introspection, Firewall - AD
            Marcin4 Enthusiast

            Hello,

             

            Thank you for your advice.

             

            So I have created a Secuirty Group "Test" with Included Object Directory Group "NSX_TEST", That group has only one user member.

             

            nsx001.jpg

             

            But the problem still exist, and that thing still wont stop rolling.

             

            nsx002.jpg

             

            Is it a bug ?

             

            Best Regards

            Marcin Gwóźdź

            • 3. Re: NSX - Guest Introspection, Firewall - AD
              RaymundoEC Hot Shot
              vExpertVMware Employees

              could just be sure check logs on this location on tail -f /var/log/dfwpktlogs.log and check if something is painting there.

              • 4. Re: NSX - Guest Introspection, Firewall - AD
                Marcin4 Enthusiast

                Well,

                 

                There is a lot of logs:

                 

                For example:

                 

                2019-06-06T05:59:56.801Z 36787 INET TERM domain-c47/1016 IN TCP TIMEOUT 10.0.0.7/60499->10.0.210.14/445 1/0 52/0

                2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/34420->10.0.210.13/443 10/0 1904/0

                2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/54444->10.0.210.12/443 10/0 1904/0

                2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/34426->10.0.210.13/443 9/0 1802/0

                2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/54450->10.0.210.12/443 10/0 1842/0

                2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/54452->10.0.210.12/443 10/0 1929/0

                2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/34434->10.0.210.13/443 10/0 1929/0

                2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/54458->10.0.210.12/443 11/0 1998/0

                2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP FIN 10.0.210.10/34440->10.0.210.13/443 10/0 1958/0

                2019-06-06T05:59:56.801Z 48972 INET TERM domain-c47/1016 IN TCP RST 10.0.210.10/48480->10.0.210.12/9080 11/0 2572/0

                 

                What kind of log should I look for ?

                 

                Best Regards

                Marcin Gwóźdź

                • 5. Re: NSX - Guest Introspection, Firewall - AD
                  RaymundoEC Hot Shot
                  VMware EmployeesvExpert

                  well, my bad on logs, please check this link :

                   

                  Identity Firewall

                   

                  also, check this link from the AD side:

                  https://girl-germs.com/?p=1538

                   

                  if you have access to myVMware open a TSR what I read the GSS has lots of tricks to look under.

                   

                  hope this helps.

                  • 6. Re: NSX - Guest Introspection, Firewall - AD
                    Marcin4 Enthusiast

                    Well, thank you for all help