VMware Networking Community
shanshan33
Contributor
Contributor

NSX-T security group member ip api returns 500

Environment: NSX-T 2.4.1

I'm testing NSX-T Policy in my lab where I created 1 security group with a static member IP, when I try to extract the IP using the following api:

GET /policy/api/v1/infra/domains/default/groups/my-sg/members/ip-addresses

The response I got:

{

  "httpStatus": "BAD_REQUEST",

  "error_code": 500140,

  "module_name": "Policy",

  "error_message": "Object path(s)=[my-sg] may not have been realized on enforcement point path=[/infra/sites/default/enforcement-points/my-ep]."

}

However, with this API:

GET /policy/api/v1/infra/domains/default/groups/my-sg

The IP Addresses are included in the response:

{

  "expression": [

  {

   "ip_addresses": [

   "172.16.2.0/24"

  ],

   "resource_type": "IPAddressExpression",

   "marked_for_delete": false,

   "_protection": "NOT_PROTECTED"

  }

  ],

  "resource_type": "Group",

  "id": "my-sg",

  "display_name": "my-sg",

  "path": "/infra/domains/default/groups/my-sg",

  "relative_path": "my-sg",

  "parent_path": "/infra/domains/default",

  "marked_for_delete": false,

  "_create_user": "admin",

  "_create_time": 1566615153728,

  "_last_modified_user": "admin",

  "_last_modified_time": 1566615153728,

  "_system_owned": false,

  "_protection": "NOT_PROTECTED",

  "_revision": 0

}

Here is the steps I did:

  1. Create a security group my-sg
  2. Create a DFW policy with 1 rule that has source as my-sg
  3. Publish the policy, then delete the policy
  4. Then I registered a server in the same lab as enforcement point on NSX-T, the server is setup to receive and process the policy events published from NSX-T, and it is running behind nginx, at this time my nginx is not properly setup to direct traffic to the server, so 404/405 willl be returned to NSX-T when policy events are published.
  5. Created a DFW policy with 1 rule that has source as my-sg, publish the policy, since nginx is not setup properly at that time, publish failed.
  6. Fixed the nginx config, re-publish the policy, confirmed that the server received the event.

After step 6, I observed the 500 Error from extracting security group member IP api.

NSX-T is new to me, does anyone know why this error occur? What should I do to make the api work again? Any ideas/help are greatly appreciated!

Reply
0 Kudos
1 Reply
mauricioamorim
VMware Employee
VMware Employee

I didn't understand what you did or aim to do regarding enforcement point configuration. Without messing with it the API works fine.

What I believe is happening is that when you created the SG it used the default enforcement point. Seems the API call is using my-ep enforcement point, on which the SG was never realized. You would have to append "?enforcement_point_path=/infra/sites/default/enforcement-points/default" to your API call so it goes to the correct EP.

This should work, but I did not understand what is trying to be accomplished with this new EP you configured.

Reply
0 Kudos