Symptoms:
This has been seen to happen when the credentials and/or thumbprint are incorrect between the management plane nodes, these are stored in the manager: mpaconfig.json file for the impacted NSX-T manager node:
"SharedSecret": "DZ[...]QT",
"RmqClientType": "cvn-mp-mpa",
"AccountName": "cvn-mp-mpa-7552d960-xxxx-xxxx-xxxx-4be07a855b34",
"RmqBrokerCluster": [
{
"BrokerFqdn": "",
"BrokerIpAddress": "192.168.120.1",
"BrokerPort": "5671",
"BrokerVirtualHost": "nsx",
"BrokerSslCertThumbprint": "81[...]FE",
"BrokerIsMaster": "TRUE"
This issue is resolved in NSX-T 2.5.x
Workaround:
To resolve the first issue where the credentials are incorrect we run the following commands.
Log into the impacted NSX-T manager node as root, the below command will restore the mpa configuration file (mpaconfig.json) to default values:
Then we restart the cluster boot manager service, this will cause a fresh pull down of the correct credentials from corfu:
After this step we may still encounter issues, this is usually due to the thumbprint being incorrect, as we see in the log sample from above:
To resolve this we need to log in as root on the impacted NSX-T manager node, run the following command:
From the resulting file /tmp/cluster_node.out, we need to search it and find the account name and thumbprint for this impacted node.
Note: The REST API will return data for all 3 manager nodes.
For account name, look for this managers IP address and under this you should then see mgmt_cluster_listen_addr like this and associated port ID 0:
We see above manager 192.168.120.1 has an account name: cvn-mp-mpa-64f03c82-xxxx-xxxx-xxxx-8bfc105073b7
Take note of this account name for later.
Then we need to find the thumbprint for this impacted NSX-T manager node, look for the IP address of the impacted manager and then under it port 5671, this will be followed by a PEM certificate, under that will be a thumbprint, see below example:
From above sample we need the thumbprint: 60[...]3d
Now backup the current mpaconfig.json file:
Next edit the mpaconfig.json file and correct the account name and thumbprint to match the ones we collected in above steps
When complete, save and quit:
Then restart the nsx-mpa service so the changes will take affect: