×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VSG rules not applied

Unanswered Question
Sep 17th, 2013
User Badges:

Hi everybody:


I have a problem with a VSG version 4.2(1)VSG1(4.1)

When I configure a simple rule in VNMC as

permit all any any

I can see in the VSG


VSG1# show running-config rule


rule Between31and32/[email protected]/Tenant1/VDC1/App1

  action 10 permit

rule default/[email protected]

  action 10 drop


and everything works fine, I can ping and I can browse the web portal


If I change the rule to

deny all any to any

I can see the change apply inmediatly


VSG1# show running-config rule


rule Between31and32/[email protected]/Tenant1/VDC1/App1

  action 10 drop

rule default/[email protected]

  action 10 drop


and I can't ping from one VM to the other and I can't browse


But If I try to apply a more complex rule like

Permit tcp from 10.1.60.31 to 10.1.60.32 eq 80

Deny all any any


I only can see:


VSG1# show running-config rule


rule Between31and32/[email protected]/Tenant1/VDC1/App1

  action 10 permit

rule default/[email protected]

  action 10 drop


The rule doesn't work

I can't ping from .31 to .32 but I can't access to the web page either


The new rule (PermitHTTP) appear, but not the complex conditions (see the attach)

I've tryed as one Policy set with only one rule and as one Policy set with two rules (permit http and deny all any any)


Any clue why the VSG doen't apply complex rules?


I've seen examples where the VSG show not only the rule name but the conditions
I can't see the conditions


The conection between VNMC and VSG seems to be OK, because the updates happen inmediatly


Thank you in advance


Al

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.giorgi Tue, 09/17/2013 - 06:29
User Badges:

More information


When I applied a single rule no errors appears

But when I applied a complex one this message warning appear


[FSM:STAGE:REMOTE-ERROR]: Result: service-unavailable Code: ERR-Device-IO Message: Policy Engine Error: Attribute  NOT found(sam:dme:TopSystemAssociate:ConfigFwPolicy)

a.giorgi Thu, 10/03/2013 - 05:17
User Badges:

Aparently is an incompatibility between VNMC 2.1(1a) and VSG 4.1 (an attribute no supported perhaps)

I installed VNMC 2.0.3f and everthing work fine now

Regards

Actions

This Discussion

Related Content