Scripted cleanup of stale logical ports on NSX segments
search cancel

Scripted cleanup of stale logical ports on NSX segments

book

Article ID: 324256

calendar_today

Updated On:

Products

VMware NSX VMware NSX-T Data Center

Issue/Introduction

The purpose of this KB is to provide a script that can be used to clean up stale ports in NSX environments.

Environment

VMware NSX-T Data Center
VMware NSX

Cause

Stale ports may arise in an environment for different reasons, automatic handling is planned for a future version.

Resolution

  • This issue is resolved in VMware NSX 4.2.0, available at Broadcom downloads.
  • If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.
  • The fix will prevent stale ports from getting created in NSX version 4.2.0 and above. If stale ports exist prior to the upgrade, the upgrade does not remove them and they will still require the below workaround.

 

Workaround

Security Only Environments

  • From NSX 4.1.1 the following API is available for security only deployments.If the stale ports exist in a security only environment, the following API can be used to sync with the Compute Manager:

POST /policy/api/v1/infra/sites/<site-id>/enforcement-points/<enforcement-point>/compute-managers/<compute-manager-id>/action/vds-full-sync

  • To retrieve the Compute Manager ID run:

GET /api/v1/fabric/compute-managers

  • For example, the following API can be used when using the default site, enforcement point and Compute Manager ID 12345678-####-####-####-123456789123:

POST /policy/api/v1/infra/sites/default/enforcement-points/default/compute-managers/12345678-####-####-####-123456789123/action/vds-full-sync

  • Confirm if stale logical-ports are removed.

 

NSX 3.2.1.x or above 

  • Before proceeding, you must take an FTP based backup of the NSX Manager and ensure the passphrase is known.
  • On one NSX Manager, copy the attached file, logical-migration.jar, to the location /opt/vmware/upgrade-coordinator-tomcat/temp
  • Run the script in read only mode first, to see if it identifies stale logical ports (-DStaleLogicalPortCleanUp.dryRun=true). Ensure you edit the user password in the field
    -DStaleLogicalPortCleanUp.password='AdminPassword', change the value AdminPassword to the admin user's password. Below is a single line:

    #java -Xms5g -Xmx10g --add-opens=java.base/java.util=ALL-UNNAMED -Dcorfu-property-file-path=/opt/vmware/upgrade-coordinator-tomcat/conf/ufo-factory.properties -Djava.io.tmpdir=/opt/vmware/upgrade-coordinator-tomcat/temp -DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector -Dlog4j.configurationFile=/opt/vmware/upgrade-coordinator-tomcat/conf/log4j2.xml -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=/opt/vmware/upgrade-coordinator-tomcat/conf/logging.properties -Dnsx-service-type=nsx-manager -DStaleLogicalPortCleanUp.dryRun=true -DStaleLogicalPortCleanUp.userName=admin -DStaleLogicalPortCleanUp.password='AdminPassword'  -DStaleLogicalPortCleanUp.maxThreads=5  -DStaleLogicalPortCleanUp.batchSize=20  -DStaleLogicalPortCleanUp.maxTimeoutMinutes=30 -cp /opt/vmware/upgrade-coordinator-tomcat/temp/logical-migration.jar com.vmware.nsx.management.migration.impl.StaleLogicalPortCleanUp

 

  • After identifying the stale logical ports, run the script again without the dry run flag to allow it to remove the stale logical ports (where -DStaleLogicalPortCleanUp.dryRun=false).

    #java -Xms5g -Xmx10g --add-opens=java.base/java.util=ALL-UNNAMED -Dcorfu-property-file-path=/opt/vmware/upgrade-coordinator-tomcat/conf/ufo-factory.properties -Djava.io.tmpdir=/opt/vmware/upgrade-coordinator-tomcat/temp -DLog4jContextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector -Dlog4j.configurationFile=/opt/vmware/upgrade-coordinator-tomcat/conf/log4j2.xml -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=/opt/vmware/upgrade-coordinator-tomcat/conf/logging.properties -Dnsx-service-type=nsx-manager -DStaleLogicalPortCleanUp.dryRun=false -DStaleLogicalPortCleanUp.userName=admin -DStaleLogicalPortCleanUp.password='AdminPassword'  -DStaleLogicalPortCleanUp.maxThreads=5  -DStaleLogicalPortCleanUp.batchSize=20  -DStaleLogicalPortCleanUp.maxTimeoutMinutes=30 -cp /opt/vmware/upgrade-coordinator-tomcat/temp/logical-migration.jar com.vmware.nsx.management.migration.impl.StaleLogicalPortCleanUp

 

  • Confirm stale logical ports have been removed.

 

NSX 3.1.x

  • There are two python scripts attached to the KB called 'NSX-3.1.X-stale-lports-cleanup-v1.py' and 'apiclient.py', which can be run to detect and clean up stale logical ports on NSX 3.1.x only.
  • The script will run in read only mode and identify the ports which are stale, review and verify the results, then proceed to run the script in update mode to cleanup the identified stale ports.
  • Before proceeding, you must take an FTP based backup of the NSX Manager and ensure the passphrase is known.
  • SSH as root user to one of the NSX manager's.
  • Copy both files ('NSX-3.1.X-stale-lports-cleanup-v1.py' and 'apiclient.py') to /root/ directory.
  • Edit the script 'NSX-3.1.X-stale-lports-cleanup-v1.py' using vi editor and add the password for the admin user in the field _nsxPwd = "" inside the "" and save the script.
  • The script has 2 options, all segments or a single segment: Type 'all' to check all segments. Enter the segment UUID to scan a single segment.
  • It will ask you if you wish to run in dry-run mode or not with y/n option: Type y to check for stale ports using dry-run. Once stale ports are identified, run again and type n to clean them up.
  • Run the script using command:
  •  

python NSX-3.1.X-stale-lports-cleanup-v1.py

Note: To find a segment UUID, on the NSX manager as admin user, run: get logical-switches

Additional Information

Note: Running this script on a Global Manager, in a Federated environment will return results saying that no stale logical ports are found. The stale ports created for the Global segments will be automatically cleaned after cleaning the stale ports from the associated Local Manager.


Related Knowledge Base articles

Manual port cleanup of stale ports can be found in KB - Steps to remove stale logical-port(s) in NSX-T after attempted delete

Attachments

logical-migration.jar get_app
NSX-3.1.X-stale-lports-cleanup-v1.py get_app
apiclient.py get_app
Powered by Wolken Software