[Invoke-NsxCli][ERROR] Unable to execute Centralized CLI query.

vmware-archive / powernsx

PowerShell module that abstracts the VMware NSX-v API to a set of easily used PowerShell functions

173 stars 89 forks source link

[Invoke-NsxCli][ERROR] Unable to execute Centralized CLI query. #466

Open vTechworld opened 6 years ago

vTechworld commented 6 years ago

Hi, I am running command Get-VM LJLN2PDAS0001 | Get-NsxCliDfwRule | ft -wrap -autosize getting an error. please help me how can this be fixed.

Get-VM : 2/1/2018 2:51:19 PM Get-VM [Invoke-NsxCli][ERROR] Unable to execute Centralized CLI query. Unable to parse Centralised CLI output line : rule_2693_at_90_inout_protocol_tcp_from_addrset_ip-ipset-63_to_addrset_ip-ipset-5_port_21_accept_as_ftp;.Exception.Message. Try re-running command with the -RawOutput parameter. At line:1 char:1

Get-VM LJLN2PDAS0001 | Get-NsxCliDfwRule


+ CategoryInfo          : NotSpecified: (:) [Get-VM], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.GetVM

adarobin commented 6 years ago

I think I am hitting the same issue. The rule causing the issue with my environment is rule 10463 at 25 in protocol tcp from addrset ip-securitygroup-395 to addrset ip-securitygroup-386 port 21 accept with log as ftp;.

It looks like the regex $RegexDFWRule in the ParseCentralCliResponse function doesn't match because of the "as ftp" in the rule. In vCenter, I don't see where (or how) this is even set.

adarobin commented 6 years ago

This https://github.com/umich-vci/powernsx/commit/2164f64ebe23a56da68a5b2c414102d3198b1f08 seems to fix the issue for me, but I would not claim to be a regex expert.

nmbradford commented 6 years ago

Thanks! will take a look and update in next version.

vTechworld commented 6 years ago

Hi Bradford, Any update on this Get-NsxCliDfwRule issue. If this has been fixed could you please let me know.

I need to get it. or is there any optional command to that I can get rules applied for VM's

nmbradford commented 6 years ago

Whats the goal @vTechworld ? The only way to see rules applied on the datapath is using the Get-NsxCliDfwRule cmdlet, but if you just want to understand what rule will apply to a given VM, use Get-NsxFirewallRule -Source/Destination ($vm) This uses the native NSX translation APIs rather than some hacky regex parser I wrote a few years ago and instantly regretted it (that uses an API that returns just text, not structured data)

nmbradford commented 6 years ago

And this hasn't yet been fixed, but will be considered in next release

vTechworld commented 6 years ago

Hi Bradford, Thanks for update. We are panning to Migrate 100's of VM to different into cloud DC and we need to know what all the rules applied to each VM so that it will be easy for us to add the rules in the cloud DC

and the Get-NSXCLiDfwRule cmdlet is not working with this parameters get-vm vmname | Get-NSXCLiDfwRule | ft -wrap -autosize

Is this command has fixed