Connectivity lost to vCenter and/or NSX manager VM with Embedded NSX/vSphere Plugin
search cancel

Connectivity lost to vCenter and/or NSX manager VM with Embedded NSX/vSphere Plugin

book

Article ID: 322466

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
  • NSX-T Data Center versions 3.2.0, 3.2.1.
  • VMware NSX versions 4.0 and 4.1.
  • You have deployed NSXe, this is Embedded NSX installed in vSphere as a Plugin.
  • You are using security only.
  • The vCenter server is on a distributed portgroup.
  • Connectivity is lost to the vCenter server and/or NSX manager VM once the cluster is prepared for security.


Environment

VMware NSX-T Data Center

Cause

When the vCenter server and/or the NSX-T manager are on a Distributed portgroup which is part of the cluster which is being prepared, if the default rule is drop and these VM's have not been given specific permissions to communicate on the Distributed firewall, communications fail, as the traffic will hit the default drop rule.

Resolution

This is a known issue impacting NSXe deployments.

Workaround:
During NSX install on the Distributed switch and creation of firewall rules step, we need to add the vCenter and NSX-T manager(s) to the DFW exclusion list using the following process in the NSX-T UI:
  • Under Inventory - Tags, create a new tag, for example called 'NSXe_Sytem_VM_Tag' and add both vCenter and NSX manager VMs to it.
  • Under Inventory - Groups, create a new group, for example called 'NSXe_System_VM_Group'.
  • For the new group, Set Members - Membership Criteria - Virtual Machine - Tag - Equals - NSXe_System_VM_Tag
  • Under Security - Distributed Firewall - Actions - Exclusion List , add the created group to exclusion list.

Then proceed to Firewall creation step in NSXe UI security workflow.

Additional Information

Impact/Risks:
Connectivity to vCenter and/or NSX manager VM are impacted.