ESXi host fails to connect with the NSX controllers
search cancel

ESXi host fails to connect with the NSX controllers

book

Article ID: 339145

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:
  • ESXi host is unable to connect to the Control Plane.
     
  • In the netcpa.log file, you see entries similar to:

    2017-06-07T00:47:56.461Z error netcpa[37140B70] [Originator@6876 sub=Default] SSL handshake failed on 172.16.0.11:0 : error = SSL Exception: error:140000DB:SSL routines:SSL routines:short read
    2017-06-07T03:17:57.439Z error netcpa[37603B70] [Originator@6876 sub=Default] SSL handshake failed on 172.16.0.11:0 : error = SSL Exception: error:140000DB:SSL routines:SSL routines:short read
    2017-06-07T06:17:58.561Z error netcpa[37181B70] [Originator@6876 sub=Default] SSL handshake failed on 172.16.0.10:0 : error = SSL Exception: error:140000DB:SSL routines:SSL routines:short read
    2017-06-07T07:47:59.128Z error netcpa[36D81B70] [Originator@6876 sub=Default] SSL handshake failed on 172.16.0.11:0 : error = SSL Exception: error:140000DB:SSL routines:SSL routines:short read
     
  • In the vsm.log file, you see entries similar to:

    2017-06-06 17:10:50.785 GMT+00:00 ERROR NVPStatusCheck NvpRestClientManagerImpl:794 - nvp controller node (172.16.0.10) return error org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://172.16.0.10:443/ws.v1/control-cluster/node?fields=cluster_mgmt_listen_addr,uuid,tags": Read timed out; nested exception is java.net.SocketTimeoutException: Read timed out

    2017-06-06 17:11:00.811 GMT+00:00 ERROR NVPStatusCheck NvpRestClientManagerImpl:794 - nvp controller node (172.16.0.9) return error
    org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://172.16.0.9:443/ws.v1/control-cluster/node?fields=cluster_mgmt_listen_addr,uuid,tags": Read timed out; nested exception is java.net.SocketTimeoutException: Read timed out

    2017-06-06 17:11:07.707 GMT+00:00 ERROR NVPInactiveNodeCheck NvpRestClientManagerImpl:891 - nvp controller node 172.16.0.10 fails: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://172.16.0.10:443/ws.v1/login": Connect to 172.16.0.10:443 [/172.16.0.10] failed: connect timed out; nested exception is org.apache.http.conn.ConnectTimeoutException: Connect to 172.16.0.10:443 [/172.16.0.10] failed: connect timed out

    2017-06-06 17:11:10.818 GMT+00:00 ERROR NVPStatusCheck NvpRestClientManagerImpl:794 - nvp controller node (172.16.0.11) return error
    org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://172.16.0.11:443/ws.v1/control-cluster/node?fields=cluster_mgmt_listen_addr,uuid,tags": Read timed out; nested exception is java.net.SocketTimeoutException: Read timed out
     
  • In the Controller logs, you see entries similar to:

    2017-06-06 18:32:50,347 19123181348 [listener] INFO com.vmware.controller.server.Listener - Accept Connection [ip=172.24.2.26:46115, cnnId=21264] from /172.24.2.26:46115
    2017-06-06 18:32:50,357 19123181358 [reader 3] ERROR com.vmware.controller.server.ssl.SelfSignedX509TrustManager - Unknow chassis certificate: [
    [
    Version: V3
    Subject: CN="VMWare VXLAN Host Certificate host-11573 OU=Nectworking O=VMWare ST=CA C=US"
    Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
    Key: Sun RSA public key, 2048 bits

    modulus: 22911650522799465929163707326918080254704523027188317203645647153931638466371122064197258058841116911989320009855294745617721779386019557021249605122136935010401
    36836560115024772432023329796195620130983113379731661924922830333592692791543147876405959524921451570805385813377696469386291738246946920048747704248124484079384552745316
    66112531666589757995492441394796111464829401754007815754348273682553447185738440211794264079252464938057216938803523707224061663150480722911564461043934851115967587589348
    39992978266706878205075684179188691037974878624050280597452927405166323249390673946856460750742686036206044340415301
    public exponent: 65537

    Validity: [From: Fri Apr 28 10:14:16 UTC 2017,
    To: Tue Sep 13 10:14:16 UTC 2044]
    Issuer: CN="VMWare VXLAN Host Certificate host-11573 OU=Nectworking O=VMWare ST=CA C=US"
    SerialNumber: [ 015bb40d d45c]

    >2017-06-07T14:28:04.785693+00:00 2017-06-07 14: 28:04,785 19194224947 [reader 1] ERROR com.vmware.controller.server.ssl.SelfSignedX509TrustManager - Unknow chassis certificate: [#012[#012 Version: V3#012 Subject: CN="VMWare VXLAN Host Certificate host-11573 OU=Nectworking O=VMWare ST=CA C=US"#012 Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11#012#012
    Key: Sun RSA public key, 2048 bits#012 modulus: 229116505227994659291637073269180802547045230271883172036456471539316384663711220641972580588411169
    119893200098552947456177217793860195570212496051221369350104013683656011502477243202332979619562013098311337973166192492283033359269279154314787640595..
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x

Cause

This issue occurs when the Controller fails to authenticate the certificate of the host causing the handshake to fail.

Resolution

This issue is resolved in VMware NSX for vSphere 6.3.5, available at VMware Downloads.

To work around this issue if you do not want to upgrade,  navigate to Network & Security > Installation > Management > NSX Manager > Actions > Update Controller State to pick up the new certificate.


Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box.

Powered by Wolken Software