1 Reply Latest reply on Aug 28, 2019 2:06 PM by mauricioamorim

    NSX-T security group member ip api returns 500

    shanshan33 Lurker

      Environment: NSX-T 2.4.1

       

      I'm testing NSX-T Policy in my lab where I created 1 security group with a static member IP, when I try to extract the IP using the following api:

      GET /policy/api/v1/infra/domains/default/groups/my-sg/members/ip-addresses

      The response I got:

      {

       

        "httpStatus": "BAD_REQUEST",

        "error_code": 500140,

        "module_name": "Policy",

        "error_message": "Object path(s)=[my-sg] may not have been realized on enforcement point path=[/infra/sites/default/enforcement-points/my-ep]."

      }

      However, with this API:

      GET /policy/api/v1/infra/domains/default/groups/my-sg

      The IP Addresses are included in the response:

      {

       

        "expression": [

        {

         "ip_addresses": [

         "172.16.2.0/24"

        ],

         "resource_type": "IPAddressExpression",

         "marked_for_delete": false,

         "_protection": "NOT_PROTECTED"

        }

        ],

        "resource_type": "Group",

        "id": "my-sg",

        "display_name": "my-sg",

        "path": "/infra/domains/default/groups/my-sg",

        "relative_path": "my-sg",

        "parent_path": "/infra/domains/default",

        "marked_for_delete": false,

        "_create_user": "admin",

        "_create_time": 1566615153728,

        "_last_modified_user": "admin",

        "_last_modified_time": 1566615153728,

        "_system_owned": false,

        "_protection": "NOT_PROTECTED",

        "_revision": 0

      }

      Here is the steps I did:

      1. Create a security group my-sg
      2. Create a DFW policy with 1 rule that has source as my-sg
      3. Publish the policy, then delete the policy
      4. Then I registered a server in the same lab as enforcement point on NSX-T, the server is setup to receive and process the policy events published from NSX-T, and it is running behind nginx, at this time my nginx is not properly setup to direct traffic to the server, so 404/405 willl be returned to NSX-T when policy events are published.
      5. Created a DFW policy with 1 rule that has source as my-sg, publish the policy, since nginx is not setup properly at that time, publish failed.
      6. Fixed the nginx config, re-publish the policy, confirmed that the server received the event.

      After step 6, I observed the 500 Error from extracting security group member IP api.

       

      NSX-T is new to me, does anyone know why this error occur? What should I do to make the api work again? Any ideas/help are greatly appreciated!

        • 1. Re: NSX-T security group member ip api returns 500
          mauricioamorim Hot Shot
          VMware Employees

          I didn't understand what you did or aim to do regarding enforcement point configuration. Without messing with it the API works fine.

           

          What I believe is happening is that when you created the SG it used the default enforcement point. Seems the API call is using my-ep enforcement point, on which the SG was never realized. You would have to append "?enforcement_point_path=/infra/sites/default/enforcement-points/default" to your API call so it goes to the correct EP.

           

          This should work, but I did not understand what is trying to be accomplished with this new EP you configured.