NSX V2T Host migration fails or gets stuck at 0%
search cancel

NSX V2T Host migration fails or gets stuck at 0%

book

Article ID: 319096

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

  • The status of the Overall Progress for Migrate Hosts is stuck at 0% and does not progress.
  • Hosts fail to get NSX-T VIBs during the V2T migration.
  • Error message on UI: Unexpected error while upgrading upgrade unit. Some error has occurred.


We see the following error logs in the migration-coordinator.log

 

1-1-1 01:01:01Z ERROR task-executor-0-workitem-HOST-########-####-####-####-########299e:host-xx EsxUser 7795 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP30519" level="ERROR" subcomp="migration-coordinator"] Create user nsxuser failed on host host-10 in vc com.vmware.vim.vmomi.client.http.impl.HttpClient@c2c523e : A general system error occurred: Weak password: too short. *** passwd: Authentication token manipulation error
com.vmware.vim.binding.vmodl.fault.SystemError: A general system error occurred: Weak password: too short. *** passwd: Authentication token manipulation error
 

Followed by:

1-1-1 01:01:01Z ERROR task-executor-0-workitem-HOST-########-####-####-####-########299e:host-10 WorkItem 7795 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP30062" level="ERROR" subcomp="upgrade-coordinator"] Error encountered while upgrading upgrade unit abc123



Environment

VMware NSX-T Data Center

Cause

The NSX-T Manager relies on a user "nsxuser" to perform all NSX-T related tasks on the host.

During the V2T migration/upgrade process of an ESXi Host, the NSX-T Manager needs to create a user in order to copy the VIBs. This user is the "nsxuser" and if the password policy on the NSX-T manager is weaker than the password policy currently applied on the ESXi host, the user creation will fail and the migration will not be able to proceed.

A Password Complexity Policy is defined on the ESXi host, and the default character limit created by the NSX-T Migration Coordinator is 13 characters. If the 13 character password does not comply with the host password complexity policy, the above error is thrown.

Resolution

This issue is resolved in NSX-T version 3.2.1

Workaround:
  • As a workaround we have to change the Password Complexity Policy on the ESXi host to match the password character limit set for nsxuser by the Migration Coordinator.
  • In versions prior to NSX-T 3.2.1 the password character limit for the nsxuser set by the Migration Coordinator is 13. If the customer has a strict policy where they have a password character limit set to greater than 13, then it has to be modified to either 13 characters or lower.

The password character limit has been increased to 40 from NSX-T version 3.2.1

(Note: default esxi 7.0 policy is  retry=3 min=disabled,disabled,disabled,7,7)

Additional Information

Impact/Risks:
NSX V2T Migration will not proceed

Powered by Wolken Software