VMware NSX LocalManager stale principal identity is preventing GlobalManager from importing configs
search cancel

VMware NSX LocalManager stale principal identity is preventing GlobalManager from importing configs

book

Article ID: 375260

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

In VMware NSX 4.x Federation setup. 

A site is added to the GM successfully, however, GM is showing error while checking the configuration of the LM and the configuration from this site was not imported to GM. 

In log/gmanager/gmanager.log

2024-08-01T14:32:30.508Z  INFO http-nio-127.0.0.1-64440-exec-23 GmOnboardingConverter 86861 POLICY [nsx@6876 comp="global-manager" level="INFO" reqId="<Request-ID>" subcomp="global-manager" username="admin"] toConfigOnboardingStatusDto: ConfigOnboardingStatus : ConfigOnboardingStatus [siteOnboardingStatus=SiteOnboardingStatus [siteId=<LM-site>, status=BLOCKED_FEATURE_CHECK, siteBackupReference=, stateTransitions=[ALLOWED:1688771800668, BLOCKED_FEATURE_CHECK:1722522750507, {cnt=2}]], ignoreStatus=false, supportedFeatures=[GROUP, TIER0, CONNECTIVITY, SECURITY_POLICY, CONNECTIVITY, NETWORK, LOCATION, NETWORK, NETWORK, CONNECTIVITY, TIER1, NETWORK, NETWORK, CONNECTIVITY, CONNECTIVITY, CONNECTIVITY, SECURITY_POLICY], unsupportedFeatures=[PRINCIPAL_IDENTITY], importProgress=null, rollbackProgress=null, errors=[com.vmware.nsx.management.gm.onboarding.exceptions.ConfigOnboardingException: Unknown Principal identity PRINCIPAL_IDENTITY-<Principal-Identity-name> found on Local Manager at site <LM-site>. Please create this principal identity PRINCIPAL_IDENTITY-<Principal-Identity-name>  on GM to proceed with config onboarding.]]

Upon checking the principal identities from the LM site using API call:

GET https://<LM-site>/api/v1/trust-management/principal-identities/

There may or may not be any matching <Principal-Identity-name> found in the result. 

Environment

VMware NSX 4.x

Cause

If configurations in the Local Manager that are created by the Principal Identity user and the same Principal Identity user is not present in the Global Manager, import is blocked.

Resolution

Please refer to this KB for details about importing configuration from Local sites: https://docs.vmware.com/en/VMware-NSX/4.2/installation/GUID-388CE659-3FE3-4EF4-ABA3-AE3FCAA191E9.html

  • In the scenario that the principal identity is still present in the local site, the same principle identity should be created in the Global Manager.
  • In the scenario that the principal identity is NOT present in the local site, a dummy principle identity can be created in Global Manager in order to bypass this error message.

    • POST https://<global-nsx-mgr>/api/v1/trust-management/token-principal-identities

      and put the following inside the body 
      {
          "name": "<principal-identity-name>",
          "node_id": "<random_number_here>",
          "is_protected": "true"
      }

Powered by Wolken Software