Error: Unable to fetch TransportZoneListResultDto List from NSX, enforcement point default observed on Global Manager (Error code: 500139)
search cancel

Error: Unable to fetch TransportZoneListResultDto List from NSX, enforcement point default observed on Global Manager (Error code: 500139)

book

Article ID: 311857

calendar_today

Updated On: 04-07-2025

Products

VMware NSX

Issue/Introduction

  • The environment uses NSX Federation
  • Certificates were changed on the Local Manager(s)
  • The Global Manager UI shows an error message similar to the following:
    Error: Unable to fetch TransportZoneListResultDto List from NSX, enforcement point default. (Error code: 500139)

Environment

VMware NSX
VMware NSX-T Data Center

Cause

This issue occurs due to the Global Manager retaining the old thumbprint in place for the Local Manager, which no longer matches the new certificate in place on the Local Manager(s).

Resolution

This is a known issue impacting VMware NSX.

Workaround:

  1. Retrieve the Local Manager certificate thumbprint (SHA-256 Thumbprint):
    • Either from the Local Manager UI:
      1. Log in to the Local Manager UI.
      2. Navigate to "System" / "Appliances".
      3. Under "Show Details", click "Thumbprint".
      4. Copy the thumbprint.
    • Or from your browser (the instructions below are for Chrome and may be different on other browsers):
      1. Navigate to the Local Manager UI.
      2. Click the lock symbol in the address bar.
      3. Select "Connection is secure".
      4. Click "Certificate is valid".
      5. Copy the SHA-256 thumbprint for the Local Manager certificate.
      6. If the SHA-256 thumbprint is shown with spaces, remove all the spaces. For example:
        Before: 00 11 22 33 44 55 66 77 XX XX 00 AA BB CC XX XX XX 00 11 22 33 XX XX XX XX 88 99 00 AA BB CC DD
        After: 00112233445566XXXXXXXXXXBBCCDDEEFF0011223344556XXXXXXXXXXXBBCCDD
  2. Log in to the Global Manager.
  3. Navigate to "System" / "Location Manager".
  4. Select "Actions" / "Edit Settings" for the relevant Local Manager site (the one for which the thumbprint was retrieved above).
  5. Add the new thumbprint (without spaces) as SHA-256 Thumbprint along with the required password.
  6. Click "Check Version Compatibility" button in the same box.
  7. Click "Save".

Note: 

If you note that the SHA fingerprint for the relevant Local Manager matches (the one that was obtained via Local Manager UI -> System/Applicances -> Show Details). Begin with global manager rolling reboot, wait until GM cluster return from degraded state (ie all 3 nodes join to cluster) and repeat on LM cluster. 

Powered by Wolken Software