NSX Failed to "Remove NSX" in a security-only cluster
search cancel

NSX Failed to "Remove NSX" in a security-only cluster

book

Article ID: 368591

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Failed to "Remove NSX" in a security-only cluster with notification: "Error: The resource TransportNode with ID <transport node id> used by compute collection <compute resource id>:domain-<cluster id> is a member of a security group. Please update the group membership to remove the resource and try uninstalling again. (Error code: 9611)"



  • "del nsx" on ESXi command line may also return failed.

Environment

VMware NSX-T Data Center 3.x
VMware NSX 4.x

Cause

You will encounter this issue, when the security-only cluster is configured using button 1 on the image, for example configured at a global level, not at cluster level.
It does not occur if the security-only cluster is configured using button 2.

Resolution

1. When configuring a security-only cluster, use button 2 from the image above, which is at the cluster level. 

2. If you have encountered this issue and you are unable to uninstall NSX from the security-only cluster, use the following procedure:

  1. In vCenter, enter one ESXi in the cluster to maintenance mode.
  2. Move this ESXi out of the cluster on the vCenter Server, to the datacenter level or cluster not prepared for NSX.
  3. In the NSX UI, under Fabric, Select this ESXi then click "Remove NSX", the host should appear as "Not Configured" in NSX now.
  4. Confirm the VIBs have been removed from the ESXi host, by running:
    esxcli software vib list|grep -E 'nsx|vsip'
  5. If the VIBs have not been removed, follow the step 8 in the following guide: 
    Uninstall NSX from a vSphere Cluster
  6. Which are:
    Stop the proxy service on the ESXi host first:
    /etc/init.d/nsx-proxy stop
  7. Enter the NSX command line interface on the ESXi by entering "nsxcli" and run the command "del nsx" on ESXi command line.
  8. This will take a short while and when complete, you should see a terminated message and you get kicked out of the nsxcli shell back to the ESXi shell, this is due to the NSX VIBs being removed.
    After a few minutes, confirm that the NSX VIBs are removed, by running "esxcli software vib list|grep -E 'nsx|vsip' " .
  9. Now the NSX VIBs are removed, if you wish to prepare the host again for security-only, add the ESXi host back to the security-only cluster in the vCenter Server and as there is a TNP (Transport Node Profile) attached, NSX should get installed on the host again and can be confirmed by running the command "esxcli software vib list|grep -E 'nsx|vsip'" on the ESXi host.

3.If you believe you have encountered this issue and the above workaround does not work for you, please gather the information below and open a support case with Broadcom Support.

  • From NSX-Manager root context, run the below commands, save the output to a file, and scp those files off the manager and add to your case. If you login via admin use the command "st en" to switch to the correct context.

    /opt/vmware/bin/corfu_tool_runner.py --tool corfu-editor -n nsx -o showTable -t TransportNodeCollection > TransportNodeCollection.txt
  • /opt/vmware/bin/corfu_tool_runner.py --tool corfu-editor -n nsx -o showTable -t HostTransportNode > HostTransportNode.txt
    
  • /opt/vmware/bin/corfu_tool_runner.py --tool corfu-editor -n nsx -o showTable -t InProgressTransportNodeCollection > InProgressTransportNodeCollection
    
  • Run the following api-call against your nsx-manager using either curl or postman, save the output to a file, and add it to case:
    GET https://{{nsx-ip}}/api/v1/transport-nodes
  • Provide a screenshot showing the current state of the cluster.
  • Provide an approximate time when the "remove NSX" task was first run. 

For more information, see Creating and managing Broadcom support cases.