Failed to Create Dynamic Address Group in Panorama VMware NSX Setup

7319

Created On 03/01/19 15:35 PM - Last Modified 07/18/20 01:58 AM

Virtual Systems

8.1

VM-Series

Symptom

Unable to create Dynamic Address Group (DAG) during initial VMware NSX firewall installation with Panorama. DAG does not show up in Device Group-->Objects-->Address Groups on Panorama

Environment

Panorama 8.1.6
PAN-OS 8.1.6 for VM-series NSX
VMware NSX 6.4.3

Cause

DAG fails to appear in Object on Panorama if not following the correct sequence of NSX firewall installation. Installation at that point is unusable.

The NSX firewall installation sequence should be as follow with Panorama portion done first and NSX second:

1. On Panorama, create a device group, a template stack with at least one zone, Service Manager, and Service Definition.
2. On NSX, create a security group in Service Composer, traffic redirect rule in Firewall > Partner security services

Resolution

If NSX firewall installation was done on VMware NSX first then Panorama, or another incorrect sequence, installation cannot be completed. We need to perform the below cleanup first.
On Panorama delete all existing DG ( Device group), template, delete service manager, and service definition.

On NSX client, delete security group and redirect rule

Then recreate the configuration in the right sequence-

On Panorama:

1. Create a DG ( Device group).
2. Create Template.
3. Make sure the template has Zone.
4. Create a Service Manager.
5. Create a Service Definition.
6. Make sure it is in Sync.

On NSX Manager:

7. In Networking & Security > Service Composer, Create Security Group.
8. Create a redirection rule in Firewall > Partner security services.
9. Publish.
10. On panorama, in verify DAG created in Device Group's Object.

Details of steps can be found in the link Create Templates and Device Groups on Panorama.

Failed to Create Dynamic Address Group in Panorama VMware NSX Setup

Symptom

Environment

Cause

Resolution

Other users also viewed: