Unable to prepare ESXi hosts for NSX due to existing stale Lockdown Mode exception user(s).
search cancel

Unable to prepare ESXi hosts for NSX due to existing stale Lockdown Mode exception user(s).

book

Article ID: 372410

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

- ESXi hosts being prepared as NSX transport nodes may fail installation.  This may happen at 67% completion or later during the configuration process. 

- Checking /var/run/log/nsxaVim.log of ESXi host failing NSX installation/configuration should show logs similar to below:   

2024-06-21T14:48:09Z nsxaVim: [2102356]: INFO Entered update lockdown exception to [add] user [nsx-user]^@
2024-06-21T14:48:09Z nsxaVim: [2102356]: INFO Adding user nsx-user in lockdown exception list^@
2024-06-21T14:48:09Z nsxaVim: [2102356]: WARNING User <user name> does not exist retrying updating exception list^@  

Environment

VMware NSX-T 3.x

VMware NSX 4.x

Cause

If the HostClient or vCenter Lockdown exception list includes Active Directory users which are subsequently removed from the AD domain server, the ESXi host will not automatically remove the user from the list of lockdown exceptions. 

This "stale" Lockdown mode exception user can cause the nsxaApp service to go down on the ESXi host, which in turn will prevent the Host from successfully being configured as NSX transport node.

Resolution

- Open the HostClient UI or the vCenter UI.

- Go to the UI page for managing Lockdown Mode exception users.

- Remove from the list the users which the warning messages state don't exist.

- Retry the the ESXi host installation.

 

Powered by Wolken Software