morpheus pointed us in the right direction. If you log in to vShield Manager and look at the firewall rules there, a "Deny" rule with the private/internal/translated IP is added for any NAT rule that exists (see screenshot attached). This, I'm assuming, is for security reasons during the upgrade but it does not show up in vCloud Director (thus our confusion). After taking our appliances out of compatibility mode post-upgrade, the rules were still there. However, if we simply added an arbitrary firewall rule (doesn't matter what it does), the deny rules all dissapeared. Then we just removed the junk rule. There may be cleaner/simpler ways to do this. I'm wondering if "redeploying" the vSE would fix it also - I'm guessing so - but I couldn't take the appliances offline in my case so this solution worked (Re-applying configuration may do the same as well).
↧