Layer 7 Virtual server status is down
Article ID: 306205
Updated On:
Products
Issue/Introduction
- Newly deployed Layer 7 Virtual server status is down, or virtual server status changes to down after adding the client certificate.
- The SNI certificate configured in the client SSL configuration of L7 virtual server have Common Names (CN) or Subject Alternative Names (SAN) exceeding 110 characters.
- From /var/log/syslog of the NSX-T Edge, you will see the following error message:
w###s####.##.###a.####d.#e NSX 2023043 LOAD-BALANCER [nsx@6876 comp="nsx-edge" subcomp="lb" s2comp="lb" level="FATAL"] [7######9-e###-###5-###2-c########892] could not build server_names_hash, you should increase server_names_hash_bucket_size: 128"
Environment
VMware NSX 4.x
VMware NSX-T Data Center 3.x
Cause
Resolution
Bucket size is being increased to 256 this can handle SNI CN/SAN length up to 238 characters
Important Notes:
-
If the Load Balancer is detached and re-attached, the value in
nginx.confwill revert to the default128. -
When restarting the LB container, a failover to the standby edge occurs. Therefore, this workaround must be applied on both active and standby edges to ensure continuity.
Workaround steps:
-
Access the LB container:
-
Find the container ID:
Look for the container running
nsx-edge-lb:current. -
Enter the container:
-
-
Back up the original template:
-
Modify the template:
-
Copy the backup for editing:
-
Make the file writable (if not already):
-
Edit the file:
Locate and change:
to:
-
Replace the original template:
-
-
Exit the LB container
-
Restart the LB container:
-
Verify:
-
Check the generated
nginx.confto confirm the updated value. -
Ensure the
nginxprocess restarted without errors.
-
Feedback
