09-26-2012 08:14 AM - edited 03-11-2019 04:59 PM
Hello All,
I've installed the VSG and VNMC and it all looks good (everything's registered, everything sees everything else - VEM, VSM, etc.) however as soon as I try and apply a firewall policy to a port-profile from my VSM I get this logged in the VSM:
2012 Sep 26 14:52:48 N1000v %VNS_AGENT-3-CORE_INVALID_PROF_ID_ERR: VNMC failed to resolve service-profile for port, name:Veth10
This is the config for the port-profile:
port-profile type vethernet TestTenant
vmware port-group
switchport mode access
switchport access vlan 10
org root/TestTenant
vservice node VSG profile PolicyA
no shutdown
state enabled
I've attached screen grabs where you can see TestTenant is in the root and PolicyA does exist, belonging to TestTenant.
The only other error I get, which is obviously related is show vservice brief ends with:
# - PA/VNMC is not connected to VSM yet or Org config error or PA/VNMC malfunctioning
We are connect to VNMC (show vn-pa status says so) so I assume it does't like my org or profile statements... but they match the screen grab...
All other tests are good:
N1000v# ping vsn all src-module all
ping vsn 10.1.50.12 vlan 50 from module 3, seq=0 timeout=1-sec
module(usec) : 3(431)
N1000v# show vservice node brief
--------------------------------------------------------------------------------
Node Information
--------------------------------------------------------------------------------
ID Name Type IP-Address Mode State Module
1 VSG vsg 10.1.50.12 v-50 Alive 3,
FW-TT# sh running-config rule
rule default/default-rule@root
action 10 drop
rule default/default-rule@root/TestTenant
action 10 drop
FW-TT# show run policy
Policy default-egress@root/TestTenant
Policy default@root
rule default/default-rule@root order 2
Policy default@root/TestTenant
rule default/default-rule@root/TestTenant order 2
It just can't seem to look up my policy! Any ideas why?
One thing I have noticed is there are no "Compute Security Profiles" under the TestTenant firewall, but I don't know if there should be or how to put some there? (Have alook at the SecProfiles.png attachment)
02-27-2013 01:21 AM
Hi Paul
Did you solve this issue? I have a similiar problem.
Regards
Marcel
03-11-2013 04:37 PM
Please forward output of show vservice brief.
03-12-2013 02:39 AM
Hi Jaso
Mi problem is related to a ASA 1000v installation: If I attach a VM to the ASA1000V Port-Profile I receive the following error:
2013 Mar 12 10:33:52 VSM-1110-01 %ETHPORT-5-IF_UP: Interface Vethernet13 is up in mode access
2013 Mar 12 10:33:52 VSM-1110-01 %VNS_AGENT-3-CORE_DEFAULT_PROF_ID_ERR: VNMC resolves default-service-profile for port, name:Veth13 profile-id:1
This is what show vservice brief says:
VSM-1110-01# sh vservice brief
--------------------------------------------------------------------------------
License Information
--------------------------------------------------------------------------------
Type In-Use-Lic-Count UnLicensed-Mod
vsg 4
asa 2
--------------------------------------------------------------------------------
Node Information
--------------------------------------------------------------------------------
ID Name Type IP-Address Mode State Module
1 CFW-VSG1 vsg 10.1.103.242 v-103 Alive 3,4,
2 ASA asa 10.1.100.1 v-1101 Alive 3,
--------------------------------------------------------------------------------
Path Information
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Port Information
--------------------------------------------------------------------------------
PortProfile:ASA-Bla-Test
Org:root/TenantASA
Node:ASA(10.1.100.1) Profile(Id):ASA-SEC(9)
Veth Mod VM-Name vNIC IP-Address
13 3 ubuntuc1 1 10.1.100.11
PortProfile:SECURE-VSG-C
Org:root/TenantA
Node:CFW-VSG1(10.1.103.242) Profile(Id):SEC-PROFILE-C(10)
Veth Mod VM-Name vNIC IP-Address
7 3 ubuntub1 1 10.1.101.21
PortProfile:SECURE-VSG-A
Org:root/TenantA
Node:CFW-VSG1(10.1.103.242) Profile(Id):SEC-PROFILE-A(5)
Veth Mod VM-Name vNIC IP-Address
8 4 ubuntua2 1 10.1.101.12
Please ignore the VSG - This is a lab and I'm also running a VSG setup (without problems by the way).
Thanks for your support
Marcel
07-18-2013 07:53 AM
Hi,
Im having the exact same issue when configuration the vservise node and org
gs2-cldnexus-01(config-port-prof)# org root/CUST01
2013 Jul 18 08:51:19 gs2-cldnexus-01 %VNS_AGENT-3-CORE_DEFAULT_PROF_ID_ERR: VNMC resolves default-service-profile for port, name:Veth3 profile-id:1
port-profile type vethernet Profile-CUST01-Server
vmware port-group
switchport mode access
switchport access vlan 501
org root/CUST01
vservice node CUST01-ASA profile Profile-CUST01-Server
no shutdown
state enabled
Everything is registred with each other all confirmed. Pluggin installed in VCenter, VM Manager registered in VNMC and both the ASA and the N1K are also see as clients. Followed the Trouble shooting guide, it appears that the issue is that the Firewall that is registered with VNMC has no Edge Profile associated with it. Allthough the Edge Profile can be seen from Service Profiles Tab but not applied to the ASA.
gs2-cldnexus-01# sh vservice detail
--------------------------------------------------------------------------------
License Information
--------------------------------------------------------------------------------
Mod VSG-Lic-Count ASA-Lic-Count
3 0 2
--------------------------------------------------------------------------------
Node Information
--------------------------------------------------------------------------------
Node ID:1 Name:CUST01-ASA
Type:asa IPAddr:172.27.251.214 Fail:close Vlan:404
Mod State MAC-Addr VVer
3 Alive 00:50:56:ba:32:b0 2
--------------------------------------------------------------------------------
Path Information
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Port Information
--------------------------------------------------------------------------------
PortProfile:Profile-CUST01-Server
Org:root/CUST01
Node:CUST01-ASA(172.27.251.214) Profile(Id):Profile-CUST01-Server(11)
Veth3
Module :3
VM-Name :cust01-vm01
vNIC:Network Adapter 1
DV-Port :13536
VM-UUID :50 31 80 76 c1 d3 c5 6d-bc e9 8b 85 da 50 5d 3e
DVS-UUID:da a4 3a 50 ad 1e 64 d8-59 b6 27 7b 4d ac d8 c4
IP-Addrs:10.1.1.10,
gs2-cldnexus-01#
Any help on this would be greatly appreiciated
Regards
Darren
09-08-2013 07:03 AM
Paul,
please update us and those who encounter similar issues.
09-08-2013 07:35 AM
In my case the VSM was not responding on HTTPS, it was not reachable from Prime NSC. I had to reboot the VSM.
09-25-2013 05:34 PM
I also have the exact same issue and the troubleshooing guide was no help since everything shows up/alive/registered/etc.
I get this error msg on VSM when it is added to VNMC:
N1K-VSM# 2013 Sep 26 00:19:59 N1K-VSM %VNS_AGENT-3-CORE_INVALID_PROF_ID_ERR: VNMC failed to resolve service-profile for port, name:Veth3
In VNMC, under Resource Management/Resources/Virtual Supervisor Modules/All VSMs/
Requesting full set of vNIC attributes from vaswEp/inst-1009(FSM:sam:dme:VaswInstanceUpdateVnicSet))
that is stuck at 33% and continuously retrying.
When a security profile is applied to a port-profile, any VM using that port-profile looses all network connections and the VSG shows a pending status under the "sh service-path connection" results for the traffic being generated from and to the VM with the applied Secuirty Profile.
The fix was suggested in a post above by Peter Koltl. Restarting the VSM fixed the issue completely. Thanks Peter!
Thanks for your help,
-Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: