NSX-T Manager/Edge node user password is incorrectly reported to have expired
search cancel

NSX-T Manager/Edge node user password is incorrectly reported to have expired

book

Article ID: 316668

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

 

  • NSX Manager or Edge node, admin, root and/or audit account password has been set to never expire with the following command:
#clear user <user> password-expiration 
  • Log alerts are triggered indicating the password has expired for these accounts.
Reviewing the nsx-event.log you can see alerts like the following:
<179>1 2019-10-10T00:00:01.758Z edge1 NSX 10171 - [nsx@6876 comp="nsx-edge" subcomp="passwd_monitor" username="root" level="ERROR" eventId="vmwNSXPlatformPasswordExpiryStatus"] {"event_state": -114, "event_src_comp_id": "b406b7a7-d359-4c92-abbc-bf991f327e07", "event_sources": {"user_name": "root", "user_id": "0"}}
<179>1 2019-10-10T00:00:02.020Z edge1 NSX 10171 - [nsx@6876 comp="nsx-edge" subcomp="passwd_monitor" username="root" level="ERROR" eventId="vmwNSXPlatformPasswordExpiryStatus"] {"event_state": -2, "event_src_comp_id": "b406b7a7-d359-4c92-abbc-bf991f327e07", "event_sources": {"user_name": "admin", "user_id": "10000"}}
  • Aria Operations for Networks raises alarms indicating NSX user passwords have expired

Environment

VMware NSX-T Data Center 2.x
VMware NSX-T Data Center
VMware NSX

Cause

The code logic which generates these alerts, incorrectly flags accounts with password policy set to never expire, as expired.
To validate the user password expiration settings: 
#get user <user> password-expiration
For more details, run the following API: 
GET /api/v1/node/users
...
        {
            "username": "root",
            "status": "ACTIVE",
            "password_change_frequency": 0, -->> 0 here indicates the password is set to never expire
            "userid": 0,
            "last_password_change": 97,
            "full_name": "root"
        },
        {
            "username": "admin",
            "status": "ACTIVE",
            "password_change_frequency": 0, -->> 0 here indicates the password is set to never expire
            "userid": 10000,
            "last_password_change": 97,
            "full_name": ""
        },
        {
            "username": "audit",
            "status": "PASSWORD_EXPIRED", -->> here we can see the password for audit has expired
            "password_change_frequency": 90,
            "userid": 10002,
            "last_password_change": 97,
            "full_name": ""
        }
...

And to check for current alarms raised, you can use the following API: 
GET /api/v1/hpm/alarms

Resolution

This issue is resolved in NSX-T Data Center 2.5.0.
Please note even though no new alerts will be raised, alerts triggered prior to upgrade to NSX-T Data Center 2.5.0 will persist.

NSX-T Data Center 2.5.1 automatically removes legacy alerts as part of the upgrade process.

Workaround:
If an upgrade is not possible; please contact Broadcom Support by opening a Support Request and a workaround can be applied to clear the alerts

Powered by Wolken Software