NSX-T Troubleshooting IDFW rules

So you have migrated to NSX-T 3.2 and you are using IDFW rules to allow users to dynamically gain access when they log in to any physical device in the domain.

Only trouble is that now it is not really working, and VMware did not yet implement a way in the gui to see the effective members of Groups that contains Active Directory members.

Well there is a way you can see who is in the group at least, but there are a couple of steps.

How to find the effective group members

Step one is to identify the rule you are troubleshooting. Make a note of the rule id.

Next find the host the destination VM is running on. You can do this manually in vCenter or use powershell. That’s up to you.

The PowerCLI code would look like this.

Get-VM <Name of VM> | Get-VMHost

Login to the host using SSH.

Use the following commands in ssh to get the current effective ipset members of the group.

ruleid=<the rule id number you noted>
vm=<name of vm>

# Getting the NIC name
nic=`summarize-dvfilter | grep world -A 3 | grep -i $vm -A 3 | grep name | awk '{print $2}'`

# Getting the address set id
addrset=`vsipioctl getrules -f $nic | grep $ruleid | sed -e 's/.*addrset\(.*\)with.*/\1/'`

# Getting members
vsipioctl getaddrset -f $nic | awk -F '[{}]' '{print $1}' | sed -n "/$addrset/,/^ *$/p"

Example:

ruleid=2011
vm="DC-Server-1"

# Getting the NIC name
nic=`summarize-dvfilter | grep world -A 3 | grep -i $vm -A 3 | grep name | awk '{print $2}'`

# Getting the address set id
addrset=`vsipioctl getrules -f $nic | grep $ruleid | sed -e 's/.*addrset\(.*\)with.*/\1/'`

# Getting members
vsipioctl getaddrset -f $nic | awk -F '[{}]' '{print $1}' | sed -n "/$addrset/,/^ *$/p"

Result:

addrset 12122cab-93d3-4a1d-82b4-16b27a9cc1fc
ip 10.1.1.200,
ip 10.1.2.220,
mac 00:50:56:aa:bb:cc,
mac 00:50:56:aa:ee:dd,

Hope it helps you out. Please let me know in the comments, also if you can add something.

There are some more commands that can be useful here: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-7BCCF652-7825-4023-A5F3-A7F3B112A9F1.html

Leave a Reply

Your email address will not be published. Required fields are marked *