VMware NSX NDR (Network Detection and Response) UI returns 400 Bad Request: Request Header Or Cookie Too Large
search cancel

VMware NSX NDR (Network Detection and Response) UI returns 400 Bad Request: Request Header Or Cookie Too Large


Article ID: 322654


Updated On:


VMware NSX Networking


  • You are running any VMware NSX version between 3.2 to 4.1.2.
  • You have configured VMware NSX integration with LDAP or vIDM and are logged in with one of these users.
  • When accessing the NDR pages of the VMware NSX UI, it fails to load and displays a 400 Bad Request Request Header Or Cookie Too Large nginx/1.18.0 (Ubuntu) like below:
  • The same error may also be seen in other UI pages for NSX Malware Prevention.


VMware NSX-T Data Center
VMware NSX-T Data Center 4.x
VMware NSX-T Data Center 3.x


This issue is caused by large HTTP header size which the NDR components cannot process.
It occurs when a LDAP or vIDM user is part of many groups.


This is a known issue impacting VMware NSX.


To work around this issue on an NSX installation, we will need to edit the configuration of two kubernetes "deployment" objects in the NSX Application Platform, in the nsxi-platform namespace:

  • cloud-connector-proxy
  • cloud-connector-file-server

Both of these deployments include an nginx server, that by default supports a maximum request header size of 8k.
To increase this limit to e.g. 32k, we need to add the "large_client_header_buffers" option to the nginx configuration.

In the commands below, the location of the <kubeconfig file> may vary depending on where NAPP was deployed.
It may be /config/vmware/napps/.kube/config on the NSX manager.
When NAPP is deployed, the napp-k alias should be setup and can be used instead on the NSX-T manager as root user, substitute 'kubectl --kubeconfig <kubeconfig file>' in the below commands with 'napp-k' if using napp-k.

Before making changes to the deployments, we will save a copy of their current configuration to the file system:

kubectl --kubeconfig <kubeconfig file> -n nsxi-platform get deploy cloud-connector-proxy -o yaml > cloud-connector-proxy.orig.yaml
kubectl --kubeconfig <kubeconfig file> -n nsxi-platform get deploy cloud-connector-file-server -o yaml > cloud-connector-file-server.orig.yaml

For this, we will apply the same change to both deployments, by using the "kubectl edit deploy" command:
kubectl --kubeconfig <kubeconfig file> -n nsxi-platform edit deploy cloud-connector-proxy
kubectl --kubeconfig <kubeconfig file> -n nsxi-platform edit deploy cloud-connector-file-server

Each of these commands will open an editor that allows us to modify the deployment.
In both of these deployments, we should modify the section TILLER_YAML_PROXY_NGINX_SETTINGS, adding the following two lines:
  large_client_header_buffers: "4 32k"

In context, the modified section will look like this:
    value: |
              large_client_header_buffers: "4 32k"
            server_name: "cloud-connector-file-server"

Note: Make sure to indent the added lines correctly (with "service_configs" at same level as "server_name").

After the edits are saved, these deployments will be automatically restarted.
Once the restart is complete the symptoms should be resolved.

Note: This workaround may be reverted by certain configuration changes or upgrade operations, in which case it would need to be applied once again.