The following table provides the workaround for the issues found in NSX 3.2.1 and NSX 3.2.2 while promoting manager objects to policy objects.

Table 1.
Problem Workaround

Failure - T0/T1 promotion failure due to DAD profile.

Error Example:

Resource type: TIER0 is dependent on resource type :DAD_PROFILE with id 7fc1e3b0-7cd4-7339-76c8-f76baddbaafb.Please make sure dependent objects are promoted first.

 Contact the VMware support.

Switch/Firewall rule failure - System defined objects mapping issue.

Error Example:

Resource type: DFW_SECTION is dependent on resource type :CONTEXT_PROFILES with id b25b144b-7b21-4afe-a535-32f953d15961.Please make sure dependent objects are promoted first.

Some of system defined objects such as default non vif segment security profile, SYMUPDAT context profile

has issues with mapping to corresponding policy objects in mp to policy promotion. Pls use following workarounds for them:

Workaround:

a. Create folder 'mp2policy' in /var/log/migration-coordinator if doesn't exist

b. Change ownership of mp2policy to that of other files in /var/log/migration-coordinator

Example : chown -v umc:umc mp2policy

c. Create medata.json file in /var/log/migration-coordinator/mp2policy

d. Change ownership for the file as mentionedin step b for medata.json file

e. Add following entries metadata.json: (Use ids,paths as appropriate to corresponding objects.) 
{
  "47ffda0e-035f-4900-83e4-0a2086813ede,SEGMENT_SECURITY_PROFILES" : {
    "id" : "default-non-vif-segment-security-profile",
    "type" : "SEGMENT_SECURITY_PROFILES",
    "path" : "/infra/segment-security-profiles/default-non-vif-segment-security-profile"
  },
  "b25b144b-7b21-4afe-a535-32f953d15961,CONTEXT_PROFILES" : {
    "id" : "SYMUPDAT",
    "type" : "CONTEXT_PROFILES",
    "path" : "/infra/context-profiles/SYMUPDAT"
  }
 }
Tier0/Tier1 promotion failure : Error during mp to policy promotion Tier0/Tier1 xxxx error. Error : Error during creating objects of type:Infra.
  1. DELETE constraint using the followimg API:

    DELETE https://nsx-mgr-ip/api/v1/infra/constraints/infra_EC_to_FL_Connectivity_Strategy

  2. Make sure no constraints are left with API:

    GET https://nsx-mgr-ip/api/v1/infra/constraints
Firewall IPFix profile failure - As 2 firewall IPFix profiles can't have same priority. On MP, firewall IPFix profile with same priority are supported but it is not supported on Policy.
  1. a. Find out failed Firewall IPFix profile.
  2. Edit this profile and set priority other than that of other Firewall IPFix profile on MP.
Firewall rules promotion failures.
  • NBNS-Broadcast and NBDG-Broadcast services error. Service names were changed from NBNS-Broadcast to NBNS-Broadcast_V1 and NBDG-Broadcast to NBDG-Broadcast_V1. However, due to upgrade gap, in upgraded systems these services remains in the system with firewall rule consuming NBNS-Broadcast and NBDG-Broadcast services. On Policy only NBNS-Broadcast_V1 and NBDG-Broadcast_V1 is supported.

    Workaround:

    a. Check which firewall rules are consuming NBNS-Broadcast and NBDG-Broadcast services on MP.

    b. Replace them with NBNS-Broadcast_V1 and NBDG-Broadcast_V1 services respectively on MP before mp to policypromotion.

  • DFW issue with PostgresSQL service PostgresSQL was changes to PostgreSQL (note lack of s before SQL). However, due to upgrade gap, in upgraded systems these services remains in the system with firewall rule consuming PostgresSQL, .On Policy only PostgreSQL is supported.

    Workaround:

    a. Check which firewall rules are using PostgresSQL service on MP.

    b. Replace them with PostgreSQL service respectively on MP before mp to policy promotion.

  • DFW issue with Microsoft_Active_Directory service Microsoft_Active_Directory was changes to Microsoft_Active_Directory_V1 . However, due to upgrade gap, in upgraded systems these services remains in the system with firewall rule consuming Microsoft_Active_Directory. On Policy only Microsoft_Active_Directory_V1 is supported.

    Workaround:

    a. Check which firewall rules are using Microsoft_Active_Directory service on MP.

    b. Replace them with Microsoft_Active_Directory_V1 service respectively on MP before mp to policy promotion.
LB service issues promotion failure - LB size is Medium and ‘Pool Allocation Size of' of attached T1s/T0s is small, then it will cause mp to policy promotion error. In this case, disconnect the corresponding LBs from attached T1s/T0s and do mp to policy promotion. Post promotion to Policy, LB size can be set based on attached T1s/T0s pool allocation size.

CRLs issue : CRL uuid is derviced from name instead of proper UUID string.

Error Example :

Unable to migrate crl 64e3a2eff2a159b7448d9c7380c943ebbeb3dc34aae3412550fa488391c6d721

reason : Invalid UUID string

 CRL id on mp should be in UUID format and If CRL has id as display name and not proper UUID, see if CRL has dependent objects. If not, just skipCRLs during mp to policy promotion.
On mp if LB Virtual servers are platform certificates, it fails LB Virtual server promotion.

a. Note that, in policy only service certificates are supported and platform certificatesare supported only on MP.

b. In case, if MP LB Virtual servers are using platform certificates, those LB Virtual servers can'tbe promoted to Policy.

c. To workaround the issue, we need to disable SSL on these virtual servers which will remove certificates from it.Then these LB virtual servers can be promoted to Policy. Then as applicable certificates can be added tothose LB virtual servers from Policy.