NSX-T Federation sites are reporting: "Found 0 security policies and X groups on Global Manager for Local Manager at site"
search cancel

NSX-T Federation sites are reporting: "Found 0 security policies and X groups on Global Manager for Local Manager at site"

book

Article ID: 324388

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Navigate to the Location Manager from the Global Manager UI and you can see the following alert on one or more sites: "Found X security policies and X groups on Global Manager for Local Manager at site <site_name>"

  • The same can be seen in the /var/log/gmanager/gmanager.log 
2021-01-10T13:27:06.202Z INFO http-nio-127.0.0.1-64440-exec-80 GmOnboardingConverter - POLICY [nsx@6876 comp="global-manager" level="INFO" reqId="########-####-####-####-########3ebb" subcomp="global-manager" username="admin"] toConfigOnboardingStatusDto: ConfigOnboardingStatus : ConfigOnboardingStatus [siteOnboardingStatus=SiteOnboardingStatus [siteId=Amsterdam, status=BLOCKED_CONFIG_CONFLICT_CHECK, siteBackupReference=, stateTransitions=[ALLOWED:1600800824441, BLOCKED_CONFIG_CONFLICT_CHECK:1610378826202, {cnt=2}]], ignoreStatus=false, supportedFeatures=null, unsupportedFeatures=null, importProgress=null, rollbackProgress=null, errors=[com.vmware.nsx.management.gm.onboarding.exceptions.ConfigOnboardingException: Found 0 security policies and 7 groups on Global Manager for Local Manager at site London. Please try again after removing site specific security policies and groups.]]
  • The following API is failing in "BLOCKED_CONFIG_CONFLICT_CHECK" status.
GET "global-manager/api/v1/global-infra/sites/Amsterdam/onboarding/status"
{
  "site_id" : "London",
  "status" : "BLOCKED_CONFIG_CONFLICT_CHECK",
  "details" : {
    "error_messages" : [ {
      "error_code" : 40013,
      "error_message" : "Found 0 security policies and 7 groups on Global Manager for Local Manager at site London. Please try again after removing site specific security policies and groups."
}



Environment

VMware NSX-T Data Center
VMware NSX
NAPP

Resolution

NSX UI updated:
  • Acknowledge option has been added to NSX-T 3.2.1 and versions forward, to allow the option to skip onboarding in the case of an import error.
How can it be avoided in future:
  • Consider and review for such a scenario in design phase.
Workaround for NSX-T versions prior:
  • As the alert is now apparent on impacted sites already onboarding, the following API calls can be used as a workaround to remove the alert from the UI.
GET https://{{ GM IP }}/global-manager/api/v1/global-infra/sites/London/onboarding/preferences

{
    "site_id": "London",
    "ignore_import": true,
    "resource_type": "SiteOnboardingPreference",
    "id": "/global-infra/sites/London/onboarding-preferences/default",
    "display_name": "/global-infra/sites/London/onboarding-preferences/default"
}
  • Change the "ignore_import" from true to false.
PUT https://{{ GM IP }}/global-manager/api/v1/global-infra/sites/London/onboarding/preferences

{
    "site_id": "London",
    "ignore_import": false,
    "resource_type": "SiteOnboardingPreference",
    "id": "/global-infra/sites/London/onboarding-preferences/default",
    "display_name": "/global-infra/sites/London/onboarding-preferences/default"
}

 

Additional Information

Impact/Risks:

There is no impact.

Powered by Wolken Software