Unable to configure NSX Identity Firewall due to sync issue between Local Manager and Global Manager

Products

VMware NSX

Issue/Introduction

Symptoms:

You are running an NSX federated environment.
You may have recently off boarded a local Manager from the Global Manager.
In the Global Manager you may notice a discrepancy in date/time under section System --> Location Manager -->more info
You are unable to configure Identity firewall and receive the below error in NSX UI

You may see an exception in the in /var/log/proton

2022-11-10T16:30:33.619Z WARN http-nio-127.0.0.1-7440-exec-36 NsxTrustManager 4305 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" reqId="82dc4553-c11d-44df-af64-79b3c42b452a" subcomp="manager" username="admin"] Thumbprint mismatch for 8960e94973ff10c6b0ca35d812b8f147be91aef465078f63532c7227d2ebd1bc
2022-11-10T16:30:33.620Z WARN http-nio-127.0.0.1-7440-exec-36 NsxTRestClient 4305 POLICY [nsx@6876 comp="nsx-manager" level="WARNING" reqId="82dc4553-c11d-44df-af64-79b3c42b452a" subcomp="manager" username="admin"] REST API failed: /api/v1/directory/ldap-server?action=CONNECTIVITY POST DirectoryLdapServerDto{domainName='Domain-name.corp', host='hostname. Domain-name.corp', port='636', protocol='LDAPS', thumbprint='', username='username', super{ManagedResource{resourceType='null', aCreateUser='null', aCreateTime='null', aLastModifiedUser='null', aLastModifiedTime='null', aSystemOwned='null', aProtection='null', id='null', displayName='username.Domain-name.corp', description='null', tags='null', super{RevisionedResource{aRevision='null', super{Resource{aSelf='null', aLinks='null', aSchema='null'}}}}}}}
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://<NSX-ManagerIP>/api/v1/directory/ldap-server": 8960e94973ff10c6b0ca35d812b8f147be91aef465078f63532c7227d2ebd1bc; nested exception is javax.net.ssl.SSLHandshakeException: 8960e94973ff10c6b0ca35d812b8f147be91aef465078f63532c7227d2ebd1bc
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:785) ~[?:?]
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:711) ~[?:?]
    at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:602) ~[?:?]
    at com.vmware.nsx.management.policy.policyframework.restutils.NsxTRestClient.sendRequest_aroundBody0(NsxTRestClient.java:161) ~[?:?]
    at com.vmware.nsx.management.policy.policyframework.restutils.NsxTRestClient$AjcClosure1.run(NsxTRestClient.java:1) ~[?:?]
  at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:602) ~[?:?]
    at com.vmware.nsx.management.policy.policyframework.restutils.NsxTRestClient.sendRequest_aroundBody0(NsxTRestClient.java:161) ~[?:?]
    at com.vmware.nsx.management.policy.policyframework.restutils.NsxTRestClient$AjcClosure1.run(NsxTRestClient.java:1) ~[?:?]
    at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) ~[?:?]
    at io.micrometer.core.aop.TimedAspect.processWithTimer(TimedAspect.java:119) ~[?:?]
    at io.micrometer.core.aop.TimedAspect.ajc$inlineAccessMethod$io_micrometer_core_aop_TimedAspect$io_micrometer_core_aop_TimedAspect$processWithTimer(TimedAspect.java:1) ~[?:?

Environment

VMware NSX-T 3.x and VMware NSX 4.x

Cause

This is due to a thumbprint mismatching between the LM and GM.

Resolution

This is a known issue impacting NSX-T Data Center.

Workaround:
Use policy clean up API to remove any objects at /global-infra.

POST https://<LM>/policy/api/v1/troubleshooting/infra/tree/realization?action=cleanup

body of the POST request:
{
 "paths": [
    "/global-infra/sites/nsx-lm-adc/enforcement-points/default"
  ]
}

Please verify the Local Managers are synced to the Global Managers with the most recent date.

If the date is not recent, please use the following API to force a between the Local Manager and Global Manager. This API is run from the Local Manager.

POST https://<LM>/policy/api/v1/infra/full-sync-action?action=request_full_sync