NSX-T Edge In Pending Registration Status -- Manager Sends Wrong Thumbprint
Article ID: 325719
Updated On:
Products
VMware NSX Networking
Issue/Introduction
When adding a new NSX-T edge to your environment form within the NSX-T UI, the deployment gets stuck in "Pending Registration" status.
Attempts to register the edge manually succeed but result in a duplicate edge node entry.
The NSX Manager's certificate was recently updated.
Attempts to register the edge manually succeed but result in a duplicate edge node entry.
The NSX Manager's certificate was recently updated.
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 2.x
VMware NSX-T Data Center 2.x
Resolution
In examining the /var/log/ join_mp.log on the edge, you notice that the edge is using an incorrect thumbprint to join to the management plane:
root@nsxtedge5:/var/log# cat join_mp.log
% Unknown error occurred
cmd: su admin -c join management-plane 10.219.40.78 thumbprint ee33db46121acb15b9f78c516055d3077d12cf06b5108e426582b766f957c53f token 7212bcb0-3e3f-4918-ab96-4f4f7965b27e node-uuid c489f8ce-af26-476c-a29f-b8df95115679
rc: 4
You can verify that the thumbprint you see in the edge logs is incorrect by comparing it to the output of the "get certificate api thumbprint" command on the NSX-T manager or using the web interface:
The NSX Manager's certificates were recently updated, and NSX Manager was not rebooted. In this case, the edge is using the older thumbprint to attempt to register to the Management Plane.
When the API certificate is changed on a manager, we automatically restart the reverse proxy, and the new certificate is used. However, the API /api/v1/cluster/nodes/self continues to show the old certificate and thumbprint. This file caches the thumbprint upon startup.
You can workaround this issue by performing either of the two steps:
a) Restart the Proton Service on the NSX Manager with the following command:
restart service manager
or
b) Reboot NSX-T Manager
root@nsxtedge5:/var/log# cat join_mp.log
% Unknown error occurred
cmd: su admin -c join management-plane 10.219.40.78 thumbprint ee33db46121acb15b9f78c516055d3077d12cf06b5108e426582b766f957c53f token 7212bcb0-3e3f-4918-ab96-4f4f7965b27e node-uuid c489f8ce-af26-476c-a29f-b8df95115679
rc: 4
You can verify that the thumbprint you see in the edge logs is incorrect by comparing it to the output of the "get certificate api thumbprint" command on the NSX-T manager or using the web interface:
The NSX Manager's certificates were recently updated, and NSX Manager was not rebooted. In this case, the edge is using the older thumbprint to attempt to register to the Management Plane.
When the API certificate is changed on a manager, we automatically restart the reverse proxy, and the new certificate is used. However, the API /api/v1/cluster/nodes/self continues to show the old certificate and thumbprint. This file caches the thumbprint upon startup.
You can workaround this issue by performing either of the two steps:
a) Restart the Proton Service on the NSX Manager with the following command:
restart service manager
or
b) Reboot NSX-T Manager
Feedback
Yes
No
Powered by
