Unable to deploy a vShield Edge device from vCloud Director or vShield Manager
search cancel

Unable to deploy a vShield Edge device from vCloud Director or vShield Manager

book

Article ID: 309812

calendar_today

Updated On:

Products

VMware Cloud Director VMware NSX Networking VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • You are unable able to deploy vShield Edge from vCloud Director.
  • You are unable able to deploy vShield Edge from vShield Manager.
  • The vShield Edge device gets deployed to vCenter Server, but after 8-10 minutes it is deleted.
  • When you attempt to create a routed organization network, you see the error in the vCloud Director logs located at /opt/vmware/cloud-director/logs/ on 1.0.x and /opt/vmware/vcloud-director/logs/ on 1.5.x and 5.1.x similar to:

    Failed to initialize shield appliance
    -HTTP/1.1 400 Bad Request
    Code : 70913, Description : Internal error in communication with edge: Please retry.


  • In the vShield Manager logs, you see entries similar to:

    EXCEPTION: com.bluelane.vfc.edge.exception.VixClientException,
    MESSAGE: Error while connecting to edge. Please retry.
    at com.bluelane.vfc.edge.VseVixAgent.handleResponse(VseVixAgent.java:684)
    at com.bluelane.vfc.edge.VseVixAgent.loginToVse(VseVixAgent.java:591)
    at com.bluelane.vfc.edge.VseVixAgent.processVixAgentError(VseVixAgent.java:515)
    at com.bluelane.vfc.edge.VseVixAgent.executeCommand(VseVixAgent.java:484)
    at com.bluelane.vfc.edge.VseVixAgent.execute(VseVixAgent.java:406)
    at com.bluelane.vfc.edge.VseService.getToolsStatus(VseService.java:799)
    at com.bluelane.vfc.edge.EdgeApplianceManager.waitForVMToolsToStartVix(EdgeApplianceManager.java:706)
    and
    localhost vShield_Edge_Vix_Client: [30459]: Error :: [], <vse vmx location> is not connected -- tools failed for (command-id : 9208)

    Note: For information on gathering logs from vShield Manager, see Overview of vShield logs (1026255).


Environment

VMware Cloud Director 5.1.x
VMware vCloud Networking and Security 5.5.x
VMware vShield Edge 5.0.x
VMware Cloud Director 1.0.x
VMware vShield 4.1.x
VMware Cloud Director 1.5.x
VMware vShield Edge 1.0.x
VMware vShield 5.0.x
VMware Cloud Director 5.5.x
VMware vCloud Networking and Security 5.1.x

Resolution

This issue can occur if port 902 is blocked. When the vShield Edge device is deployed, it is first deployed over port 443 then converted to port 902. Without access to port 902, the vShield Edge device shall not be able to configure and shall be deleted from the vCenter Server after a set timeout period.

To resolve this issue, verify that port 902 is open from vCloud Director or vShield Manager to the VMkernel interface of the ESX/ESXi host.

If the vShield Edge device does not get deployed to the ESX/ESXi host, verify that port 443 is open between the vCloud Director or vShield Manager appliance and the VMkernel port of the ESX/ESXi host.

This requirement is stated in the vShield Administration Guide. vCloud Director and vShield Manager require these ports to be open:


PortDescription
TCP 902 & 903Access to ESX/ESXi hosts
TCP 80 & 443REST API
TCP 80 & 443Graphical User Interface, connections to vSphere vCenter SDK
TCP 22SSH access to the CLI (not enabled by default)



Additional Information


Overview of vShield logs