A couple of days ago I had a small problem with NSX and firewall rules that did not work properly. During checking NSX Status via Web Client I found - Error status on Distributed Firewall (DFW) status on some hosts as shown on the below figure:
No more information about issue after clicking on Error link.
Rebooting host did not solve this Error. Following the Troubleshooting Distributed Firewall KB I verfied:
- the NSX VIB are not dissapeared 😉 and are still installed on problematic ESXi hosts in the cluster
- vShield-Stateful-Firewall service is in a running state
- the Message Bus is communicating properly with the NSX Manager
- port 5671 is opened for communication in the firewall configuration
I decided to reinstall NSX module on problematic ESXi hosts and it solved the problem. What I did was:
-
- Put ESXi host in the maintenance mode.
- Logged in to the hosts via SSH.
- Removed NSX vib (there is one module since version NSX 6.3 - esx-nsxv) - esxcli software vib remove -n esx-nsxv
- Rebooted host.
NSX automatically checked and installed above module again after rebooting the ESXi host.