When upgrading NSX-T, the ESXi host transport nodes show in a Failed state for NSX Configuration and produce this error:
Host Configuration: Failed to send the HostConfig message.
[TN=TransportNode/<Transport_Node_UUID>]. Reason: Failed to send HostConfig RPC to MPA TN:<Transport_Node_UUID>. Error: Unable to reach client <Transport_Node_UUID>, application SwitchingVertical. LogicalSwitch full-sync: LogicalSwitch full-sync realization query skipped.
ESXi hosts being prepared as NSX transport nodes may fail installation. This may happen at 67% completion or later during the configuration process.
2024-06-21T14:48:09Z nsxaVim: [2102356]: INFO Entered update lockdown exception to [add] user [nsx-user]^@
2024-06-21T14:48:09Z nsxaVim: [2102356]: INFO Adding user nsx-user in lockdown exception list^@
2024-06-21T14:48:09Z nsxaVim: [2102356]: WARNING User <user name> does not exist retrying updating exception list^@
VMware NSX-T 3.x
VMware NSX 4.x
If the HostClient or vCenter Lockdown exception list includes Active Directory users which are subsequently removed from the AD domain server, the ESXi host will not automatically remove the user from the list of lockdown exceptions.
This "stale" Lockdown mode exception user can cause the nsxaApp service to go down on the ESXi host, which in turn will prevent the Host from successfully being configured as NSX transport node.
/var/run/log/nsxdavim.log
/etc/init.d/nsx-opsagent restart
and complete the upgradeNote: The user may also exist in the HostClient UI, please review and remove the mentioned user from there is exists also.