Unable to Import LM Configuration into GM Due to Unsupported IDS/IPS and PI User Configurations
Article ID: 303355
Updated On:
Products
VMware NSX
Issue/Introduction
The objective of the is article is to explain how two common blockers to LM onboarding can be identified and provide work-arounds to enable LM object consumption into NSX-T Federation.
Symptoms:
After registering Local Manager appliances to the Global Manager, you see a red banner on the LM tile that states something like "Unable to import due to these unsupported features: (IDS, Principal Identity)"
Symptoms:
After registering Local Manager appliances to the Global Manager, you see a red banner on the LM tile that states something like "Unable to import due to these unsupported features: (IDS, Principal Identity)"
Environment
VMware NSX-T Data Center
Cause
With the enablement of some features within NSX-T, objects are created automatically which are required for the feature to function properly.
When IDS is initially enabled, a default IDS Profile is configured on the LM to be consumed should the administrator choose not to create a custom profile. At the time of Import of the LM configuration within the GM, it is not sufficient to remove only custom IDS configuration and this default IDS Profile must be removed as well to enable configuration onboarding.
Similarly, when NSX-Intelligence is deployed within the LM infrastructure, a Principal Identity user is configured within the users domain on the LM. This PI user is not supported for import into NSX-T Federation and will block the configuration onboarding.
When IDS is initially enabled, a default IDS Profile is configured on the LM to be consumed should the administrator choose not to create a custom profile. At the time of Import of the LM configuration within the GM, it is not sufficient to remove only custom IDS configuration and this default IDS Profile must be removed as well to enable configuration onboarding.
Similarly, when NSX-Intelligence is deployed within the LM infrastructure, a Principal Identity user is configured within the users domain on the LM. This PI user is not supported for import into NSX-T Federation and will block the configuration onboarding.
Resolution
There is no resolution at this time.
Workaround:
To work-around the IDS configuration blocker, use the following procedures:
First ensure that all custom IDS configuration has been removed from Distributed IDS/IPS > Rules and confirm that IDS is disabled on all clusters.
Navigate to Distributed IDS/IPS > Profiles and confirm there are no custom profiles configured.
Select the three dot ellipsis next to the "DefaultIDSProfile" and Copy Path to Clipboard. This will be used in the following API call:
DELETE https://<LMfqdn>/policy/api/vi/infra/settings/firewall/security/intrusion-services/profiles/<profile-id>
The default IDS profile is not removed and no longer blocks LM configuration onboarding.
==================================================
To work-around the PI user blocking configuration, use the following procedures:
Login to the LM with NSX-Intelligence appliance installed and navigate to System > Settings > User Management
Notate the NSX-Intelligence Principal Identity user which will be "nsx-intelligence". Perform an API GET against this user:
GET https://<LMfqdn>/api/v1/trust-managment/principal-identities/<principal-identity-id>
Collect the username, node ID, and PEM formatted certificate from this PI user.
Login to the GM and navigate to System > Settings > User Management
Add a new user with the same configuration gathered from the LM above. With a matching user already configured within the GM, the LM configuration for PI user is no longer marked as invalid for onboarding and should pass validation.
We can run the following API call to further validate the LM readiness for import:
GET https://<GMfqdn>/global-manager/api/v1/global-infra/sites/<LMfqdnSuffix>/onboarding/feature-summary
Workaround:
To work-around the IDS configuration blocker, use the following procedures:
First ensure that all custom IDS configuration has been removed from Distributed IDS/IPS > Rules and confirm that IDS is disabled on all clusters.
Navigate to Distributed IDS/IPS > Profiles and confirm there are no custom profiles configured.
Select the three dot ellipsis next to the "DefaultIDSProfile" and Copy Path to Clipboard. This will be used in the following API call:
DELETE https://<LMfqdn>/policy/api/vi/infra/settings/firewall/security/intrusion-services/profiles/<profile-id>
The default IDS profile is not removed and no longer blocks LM configuration onboarding.
==================================================
To work-around the PI user blocking configuration, use the following procedures:
Login to the LM with NSX-Intelligence appliance installed and navigate to System > Settings > User Management
Notate the NSX-Intelligence Principal Identity user which will be "nsx-intelligence". Perform an API GET against this user:
GET https://<LMfqdn>/api/v1/trust-managment/principal-identities/<principal-identity-id>
Collect the username, node ID, and PEM formatted certificate from this PI user.
Login to the GM and navigate to System > Settings > User Management
Add a new user with the same configuration gathered from the LM above. With a matching user already configured within the GM, the LM configuration for PI user is no longer marked as invalid for onboarding and should pass validation.
We can run the following API call to further validate the LM readiness for import:
GET https://<GMfqdn>/global-manager/api/v1/global-infra/sites/<LMfqdnSuffix>/onboarding/feature-summary
Feedback
Yes
No
Powered by
