NSX Failed to "Remove NSX" in a security-only cluster
searchcancel
NSX Failed to "Remove NSX" in a security-only cluster
book
Article ID: 368591
calendar_today
Updated On: 02-05-2025
Products
VMware NSX
Issue/Introduction
Failed to "Remove NSX" in a security-only cluster with notification: "Error: The resource TransportNode with ID <transport node id> used by compute collection <compute resource id>:domain-<cluster id> is a member of a security group. Please update the group membership to remove the resource and try uninstalling again. (Error code: 9611)"
"del nsx" on ESXi command line may also return failed.
Environment
VMware NSX-T Data Center 3.x VMware NSX 4.x
Cause
You will encounter this issue, when the security-only cluster is configured using button 1 on the image, for example configured at a global level, not at cluster level. It does not occur if the security-only cluster is configured using button 2.
Resolution
1. When configuring a security-only cluster, use button 2 from the image above, which is at the cluster level.
2. If you have encountered this issue and you are unable to uninstall NSX from the security-only cluster, use the following procedure:
In vCenter, enter one ESXi in the cluster to maintenance mode.
Move this ESXi out of the cluster on the vCenter Server, to the datacenter level or cluster not prepared for NSX.
In the NSX UI, under Fabric, Select this ESXi then click "Remove NSX", the host should appear as "Not Configured" in NSX now.
Confirm the VIBs have been removed from the ESXi host, by running: esxcli software vib list|grep -E 'nsx|vsip'
Which are: Stop the proxy service on the ESXi host first: /etc/init.d/nsx-proxy stop
Enter the NSX command line interface on the ESXi by entering "nsxcli" and run the command "del nsx" on ESXi command line.
This will take a short while and when complete, you should see a terminated message and you get kicked out of the nsxcli shell back to the ESXi shell, this is due to the NSX VIBs being removed. After a few minutes, confirm that the NSX VIBs are removed, by running "esxcli software vib list|grep -E 'nsx|vsip' " .
Now the NSX VIBs are removed, if you wish to prepare the host again for security-only, add the ESXi host back to the security-only cluster in the vCenter Server and as there is a TNP (Transport Node Profile) attached, NSX should get installed on the host again and can be confirmed by running the command "esxcli software vib list|grep -E 'nsx|vsip'" on the ESXi host.
3.If you believe you have encountered this issue and the above workaround does not work for you, please gather the information below and open a support case with Broadcom Support.
From NSX-Manager root context, run the below commands, save the output to a file, and scp those files off the manager and add to your case. If you login via admin use the command "st en" to switch to the correct context.