Cannot access a new NSX Manager for restoring from backup
search cancel

Cannot access a new NSX Manager for restoring from backup

book

Article ID: 309096

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

After a new NSX Manager is deployed from OVA to restore using backup files, user cannot access to web UI of this NSX Manager.

Environment

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.4.x

Cause

Existing firewall rule implemented on the host by the old NSX Manager blocks the web access of the new NSX Manager, as it is not part of the exclusion list defined in the distributed firewall policy.
 

Resolution

This is the known behavior in distributed firewall of NSX for vSphere.

To avoid this issue, some rules should be defined before the old NSX Manager crashes.
 
SourceDestinationServiceActionApplied To
IP_NSX ManagervCenter ServerHTTP, HTTPSAllowDistributed Firewall
IP_NSX ManagerFTP/SFTP Server21/ftp, SSHAllowDistributed Firewall
IP_ESXi HostsIP_NSX Manager5671/tcpAllowDistributed Firewall
ClientIP_NSX ManagerHTTP, HTTPSAllowDistributed Firewall
IP_NSX ManagerDNS ServerDNSAllowDistributed Firewall
 
If this issue happens, follow the below steps as a workaround.
  1. Log in to the ESXi host as root through SSH where new NSX manager is running.
  2. Run this command "/etc/init.d/vShield-Stateful-Firewall stop".
  3. Powering off new NSX manager and Powering On this VM.
  4. Run this command "summarize-dvfilter" or "vsipioctl getfilters" to find out the filter name that is protecting new NSX manager virtual machine. The filter name starts with nic-, such as nic-12345-eth0-vmware-sfw.2.
  5. Run this command "vsipioctl getrules -f filter-name" to get the ruleset of the firewall. If vShield-Stateful-Firewall stops, this output should be "No rules."
  6. Client can access to NSX manager via Web UI.
  7. After restoring, run this command "/etc/init.d/vShield-Stateful-Firewall start" in ESXi host and force sync via vSphere Web client.