cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3211
Views
10
Helpful
7
Replies

Getting VSG to recognise VNMC policy

Paul Masterton
Level 1
Level 1

Hello All,

I've installed the VSG and VNMC and it all looks good (everything's registered, everything sees everything else - VEM, VSM, etc.) however as soon as I try and apply a firewall policy to a port-profile from my VSM I get this logged in the VSM:

2012 Sep 26 14:52:48 N1000v %VNS_AGENT-3-CORE_INVALID_PROF_ID_ERR: VNMC failed to resolve service-profile for port, name:Veth10

This is the config for the port-profile:

port-profile type vethernet TestTenant

vmware port-group

switchport mode access

switchport access vlan 10

org root/TestTenant

vservice node VSG profile PolicyA

no shutdown

state enabled

I've attached screen grabs where you can see TestTenant is in the root and PolicyA does exist, belonging to TestTenant.

The only other error I get, which is obviously related is show vservice brief ends with:

#  - PA/VNMC is not connected to VSM yet or Org config error or PA/VNMC malfunctioning

We are connect to VNMC (show vn-pa status says so) so I assume it does't like my org or profile statements... but they match the screen grab...

All other tests are good:

N1000v# ping vsn all src-module all

ping vsn 10.1.50.12 vlan 50 from module 3, seq=0 timeout=1-sec

module(usec)   :  3(431)

N1000v# show vservice node brief

--------------------------------------------------------------------------------

Node Information

--------------------------------------------------------------------------------

ID Name                     Type   IP-Address      Mode   State   Module

1 VSG                      vsg    10.1.50.12      v-50   Alive   3,

FW-TT# sh running-config rule

rule default/default-rule@root

action 10 drop

rule default/default-rule@root/TestTenant

action 10 drop

FW-TT# show run policy

Policy default-egress@root/TestTenant

Policy default@root

rule default/default-rule@root order 2

Policy default@root/TestTenant

rule default/default-rule@root/TestTenant order 2

It just can't seem to look up my policy! Any ideas why?

One thing I have noticed is there are no "Compute Security Profiles" under the TestTenant firewall, but I don't know if there should be or how to put some there? (Have  alook at the SecProfiles.png attachment)

7 Replies 7

Marcel Zehnder
Spotlight
Spotlight

Hi Paul

Did you solve this issue? I have a similiar problem.

Regards

Marcel

Please forward output of show vservice brief.

Hi Jaso

Mi problem is related to a ASA 1000v installation: If I attach a VM to the ASA1000V Port-Profile I receive the following error:

2013 Mar 12 10:33:52 VSM-1110-01 %ETHPORT-5-IF_UP: Interface Vethernet13 is up in mode access

2013 Mar 12 10:33:52 VSM-1110-01 %VNS_AGENT-3-CORE_DEFAULT_PROF_ID_ERR: VNMC resolves default-service-profile for port, name:Veth13 profile-id:1

This is what show vservice brief says:

VSM-1110-01# sh vservice brief

--------------------------------------------------------------------------------

                                   License Information

--------------------------------------------------------------------------------

Type      In-Use-Lic-Count  UnLicensed-Mod

vsg                      4 

asa                      2 

--------------------------------------------------------------------------------

                                   Node Information

--------------------------------------------------------------------------------

ID Name                     Type   IP-Address      Mode   State   Module

  1 CFW-VSG1                 vsg    10.1.103.242    v-103  Alive   3,4,

  2 ASA                      asa    10.1.100.1      v-1101 Alive   3,

--------------------------------------------------------------------------------

                                   Path Information

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

                                   Port Information

--------------------------------------------------------------------------------

PortProfile:ASA-Bla-Test                   

Org:root/TenantASA

Node:ASA(10.1.100.1)                          Profile(Id):ASA-SEC(9)

Veth Mod VM-Name                              vNIC IP-Address

  13   3 ubuntuc1                                1 10.1.100.11

PortProfile:SECURE-VSG-C                   

Org:root/TenantA

Node:CFW-VSG1(10.1.103.242)                   Profile(Id):SEC-PROFILE-C(10)

Veth Mod VM-Name                              vNIC IP-Address

   7   3 ubuntub1                                1 10.1.101.21

PortProfile:SECURE-VSG-A                   

Org:root/TenantA

Node:CFW-VSG1(10.1.103.242)                   Profile(Id):SEC-PROFILE-A(5)

Veth Mod VM-Name                              vNIC IP-Address

   8   4 ubuntua2                                1 10.1.101.12

Please ignore the VSG - This is a lab and I'm also running a VSG setup (without problems by the way).

Thanks for your support

Marcel


Hi,

Im having the exact same issue when configuration the vservise node and org

gs2-cldnexus-01(config-port-prof)# org root/CUST01

2013 Jul 18 08:51:19 gs2-cldnexus-01 %VNS_AGENT-3-CORE_DEFAULT_PROF_ID_ERR: VNMC resolves default-service-profile for port, name:Veth3 profile-id:1

port-profile type vethernet Profile-CUST01-Server

  vmware port-group

  switchport mode access

  switchport access vlan 501

  org root/CUST01

  vservice node CUST01-ASA profile Profile-CUST01-Server

  no shutdown

  state enabled

Everything is registred with each other all confirmed. Pluggin installed in VCenter, VM Manager registered in VNMC and both the ASA and the N1K are also see as clients. Followed the Trouble shooting guide, it appears that the issue is that the Firewall that is registered with VNMC has no Edge Profile associated with it. Allthough the Edge Profile can be seen from Service Profiles Tab but not applied to the ASA.

gs2-cldnexus-01# sh vservice detail

--------------------------------------------------------------------------------

                                   License Information

--------------------------------------------------------------------------------

Mod  VSG-Lic-Count  ASA-Lic-Count

  3              0              2

--------------------------------------------------------------------------------

                                   Node Information

--------------------------------------------------------------------------------

Node ID:1      Name:CUST01-ASA

Type:asa       IPAddr:172.27.251.214   Fail:close  Vlan:404

Mod  State     MAC-Addr                VVer

  3  Alive     00:50:56:ba:32:b0          2

--------------------------------------------------------------------------------

                                   Path Information

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

                                   Port Information

--------------------------------------------------------------------------------

PortProfile:Profile-CUST01-Server          

Org:root/CUST01

Node:CUST01-ASA(172.27.251.214)               Profile(Id):Profile-CUST01-Server(11)

Veth3

Module  :3

VM-Name :cust01-vm01

vNIC:Network Adapter 1

DV-Port :13536

VM-UUID :50 31 80 76 c1 d3 c5 6d-bc e9 8b 85 da 50 5d 3e

DVS-UUID:da a4 3a 50 ad 1e 64 d8-59 b6 27 7b 4d ac d8 c4

IP-Addrs:10.1.1.10,

gs2-cldnexus-01#

Any help on this would be greatly appreiciated

Regards

Darren

Paul,

please update us and those who encounter similar issues.

In my case the VSM was not responding on HTTPS, it was not reachable from Prime NSC. I had to reboot the VSM.

mike.holland
Level 1
Level 1

I also have the exact same issue and the troubleshooing guide was no help since everything shows up/alive/registered/etc.

I get this error msg on VSM when it is added to VNMC:

N1K-VSM# 2013 Sep 26 00:19:59 N1K-VSM %VNS_AGENT-3-CORE_INVALID_PROF_ID_ERR: VNMC failed to resolve service-profile for port, name:Veth3

In VNMC, under Resource Management/Resources/Virtual Supervisor Modules/All VSMs/ and select the tasks tab, is shows a task (

Requesting full set of vNIC attributes from vaswEp/inst-1009(FSM:sam:dme:VaswInstanceUpdateVnicSet))

that is stuck at 33% and continuously retrying.

When a security profile is applied to a port-profile, any VM using that port-profile looses all network connections and the VSG shows a pending status under the "sh service-path connection" results for the traffic being generated from and to the VM with the applied Secuirty Profile.

The fix was suggested in a post above by Peter Koltl. Restarting the VSM fixed the issue completely. Thanks Peter!

Thanks for your help,

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: