Scripted cleanup of stale logical ports on NSX segments

Products

VMware NSX VMware NSX-T Data Center

Issue/Introduction

The purpose of this KB is to provide a script that can be used to clean up stale ports in NSX environments.

Environment

VMware NSX

Cause

Stale ports may arise in an environment for different reasons, automatic handling is planned for a future version.

Resolution

This is a known issue impacting VMware NSX.

The following workaround procedures can be used to remove stale ports depending on the NSX release version.

NSX 3.2.1.x and higher

Before proceeding, you must take an FTP based backup of the NSX Manager and ensure the passphrase is known.
On one NSX Manager, copy the attached file, logical-migration.jar, to the location /opt/vmware/upgrade-coordinator-tomcat/temp
Run the script first in dry run mode first, to see if it identifies stale logical ports (-DStaleLogicalPortCleanUp.dryRun=true)
Replace AdminPassword in the command with admin password for the system

#java -Xms5g -Xmx10g --add-opens=java.base/java.util=ALL-UNNAMED -Dcorfu-property-file-path=/opt/vmware/upgrade-coordinator-tomcat/conf/ufo-factory.properties -Djava.io.tmpdir=/opt/vmware/upgrade-coordinator-tomcat/temp -DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector -Dlog4j.configurationFile=/opt/vmware/upgrade-coordinator-tomcat/conf/log4j2.xml -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=/opt/vmware/upgrade-coordinator-tomcat/conf/logging.properties -Dnsx-service-type=nsx-manager -DStaleLogicalPortCleanUp.dryRun=true -DStaleLogicalPortCleanUp.userName=admin -DStaleLogicalPortCleanUp.password='AdminPassword' -DStaleLogicalPortCleanUp.maxThreads=5 -DStaleLogicalPortCleanUp.batchSize=20 -DStaleLogicalPortCleanUp.maxTimeoutMinutes=30 -cp /opt/vmware/upgrade-coordinator-tomcat/temp/logical-migration.jar com.vmware.nsx.management.migration.impl.StaleLogicalPortCleanUpNote on NSX 4.2.x, the first line of the output file has a warning "WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance."
This can be safely ignored and does not impact the functionality.
After confirming the stale logical ports, run the script again without the dry run flag to allow it to remove the stale logical ports (where -DStaleLogicalPortCleanUp.dryRun=false).

#java -Xms5g -Xmx10g --add-opens=java.base/java.util=ALL-UNNAMED -Dcorfu-property-file-path=/opt/vmware/upgrade-coordinator-tomcat/conf/ufo-factory.properties -Djava.io.tmpdir=/opt/vmware/upgrade-coordinator-tomcat/temp -DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector -Dlog4j.configurationFile=/opt/vmware/upgrade-coordinator-tomcat/conf/log4j2.xml -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=/opt/vmware/upgrade-coordinator-tomcat/conf/logging.properties -Dnsx-service-type=nsx-manager -DStaleLogicalPortCleanUp.dryRun=false -DStaleLogicalPortCleanUp.userName=admin -DStaleLogicalPortCleanUp.password='AdminPassword' -DStaleLogicalPortCleanUp.maxThreads=5 -DStaleLogicalPortCleanUp.batchSize=20 -DStaleLogicalPortCleanUp.maxTimeoutMinutes=30 -cp /opt/vmware/upgrade-coordinator-tomcat/temp/logical-migration.jar com.vmware.nsx.management.migration.impl.StaleLogicalPortCleanUp
Confirm stale logical ports have been removed.

NSX 3.1.x

Before proceeding, you must take an FTP based backup of the NSX Manager and ensure the passphrase is known.
SSH as root user to one of the NSX manager's.
Copy both attached files, 'NSX-3.1.X-stale-lports-cleanup-v1.py' and 'apiclient.py' to /root/ directory on any of the NSX Managers.
Edit the script 'NSX-3.1.X-stale-lports-cleanup-v1.py' using vi editor and add the password for the admin user in the field _nsxPwd = "" inside the "" and save the script
The script has 2 options, all segments or a single segment: Type 'all' to check all segments. Enter the segment UUID to scan a single segment.
- python NSX-3.1.X-stale-lports-cleanup-v1.py all
- python NSX-3.1.X-stale-lports-cleanup-v1.py <Segment UUID>
- The "python"in front of the script name is designating python to be the interpreter and the command must be run with the above syntax
It will ask you if you wish to run in dry-run mode or not with y/n option: Type "y" to check for stale ports using dry-run. Once stale ports are identified, run again and type "n" to clean them up.

Note: To find a segment UUID, on the NSX manager as admin user, run: get logical-switches

Security Only Environments

From NSX 4.1.1 the following API is available for security only deployments. If the stale ports exist in a security only environment, the following API can be used to sync with the Compute Manager:

POST /policy/api/v1/infra/sites/<site-id>/enforcement-points/<enforcement-point>/compute-managers/<compute-manager-id>/action/vds-full-sync
To retrieve the Compute Manager ID run:

GET /api/v1/fabric/compute-managers
For example, the following API can be used when using the default site, enforcement point and Compute Manager ID 12345678-####-####-####-123456789123:

POST /policy/api/v1/infra/sites/default/enforcement-points/default/compute-managers/12345678-####-####-####-123456789123/action/vds-full-sync
Confirm if stale logical-ports are removed.

Additional Information

Note: Running this script on a Global Manager, in a Federated environment will return results saying that no stale logical ports are found. The stale ports created for the Global segments will be automatically cleaned after cleaning the stale ports from the associated Local Manager.

Related Knowledge Base articles

Manual port cleanup of stale ports can be found in KB - Steps to remove stale logical-port(s) in NSX-T after attempted delete

Attachments

logical-migration.jar get_app

NSX-3.1.X-stale-lports-cleanup-v1.py get_app

apiclient.py get_app