HCX OSAM migration is not working when NAT is in use
Article ID: 376143
Updated On:
Products
VMware HCX
Issue/Introduction
- DNAT in use between Sentinel agent and SGW.
- The sgw.conf file has been modified, changing the SGW IP to the DNAT IP address.
- Error message observed in the SGR appliance at /var/log/messages:
<Timestamp> OSAM01-SRG-I1 sgwd 1453 - - [Err-sgwd] : failed to read Sgw message on conn sgw-tls conn<IP adddress>, err: failed to read msg hdr from <Message header> , err: remote error: tls: bad certificate- Error message found in the Sentinel Agent log:
C:\ProgramData\VMware\HCX\OSAM\sentinelService.log:
<Timestamp> ERROR Failed to connect to <IP address>Error: 0x509: certificate is valid for <IP address of SGR Guest Network Interface>, not for <IP Address>. Retrying ...Environment
HCX
Cause
Modifying SGW configuration files is not supported and will result in a certificate mismatch. The HCX documentation also states: "Inbound DNAT, load balancing, or reverse proxy configurations in the underlay are not supported for the HCX Migration and Extension Transport tunnels." For more information, please refer to Network Underlay Minimum Requirements.
Resolution
Do not use NAT for HCX migrations.
Additional Information
Feedback
Yes
No
Powered by
