Layer 7 Virtual server status is down
search cancel

Layer 7 Virtual server status is down

book

Article ID: 306205

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
  • Newly deployed Layer 7 Virtual server status is down, or virtual server status changes to down after adding the client certificate.
  • Certificates associated with affected Virtual server have Long Common Names (CN) or Subject alt name(SAN) -- more than 46 characters.

 From /var/log/syslog of the NSX-T Edge, you will see the following error message:
  
  <25>1 2019-03-12T23:26:13.598286+00:00 ESG-106 NSX 16026 LB [nsx@6876 comp="nsx-edge" subcomp="nsx-edge-lb.lb_log" level="FATAL"] [bfa0690c-3a6d-48c3-####-###########] [emerg] 16026#0: could not build server_names_hash, you should increase server_names_hash_bucket_size: 64

Environment

VMware NSX-T Data Center

VMware NSX-T Data Center 2.4

VMware NSX-T Data Center 2.x

Cause

The Default Server name hash bucket is unable to process the long Common Name of the certificate. Because of this, the nginx load balancer service fails to start.

Resolution

This is a known issue in NSX-T 2.4.0. Currently, there is no resolution.

Workaround:
1. Login to Edge Gateway as Root.

2. Edit the following file:
 
      /opt/vmware/nsx-edge/bin/lbconf.template
   
3. Edit "/opt/vmware/nsx-edge/bin/lbconf.template" and add the following entries in the file:
      
    http {
    server_names_hash_bucket_size 128;   ---------------------->>>>>>>  Add this entry
 server_tokens off;
 

4. Detach and then re-attach the Virtual Server. If you have Ingress service enabled, delete and then re-add the service.


Note: If there are multiple edges, then the config need to be updated on all the edges.