NSX Host preparation fails due to stale entries with an "Host configuration: Found security-only non-CVDS on the host"
search cancel

NSX Host preparation fails due to stale entries with an "Host configuration: Found security-only non-CVDS on the host"

book

Article ID: 378540

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • NSX host preparation fails at the "Applying NSX switch configuration" stage with the following error on the UI

Transport Node Errors

Host configuration: Found security-only non-CVDS on the host.;

  • The following error would be registered in the NSX Manager /var/log/proton/nsxapi.log  
    2024-xx-xxT19:48:43.322Z ERROR L2HostConfigTaskExecutor5 TransportNodeAsyncUtils 75770 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP8817" level="ERROR" subcomp="manager"] Some error occured when configuring host switch on host: Found security-only non-CVDS on the host.;

    2024-xx-xxT19:48:43.322Z ERROR L2HostConfigTaskExecutor5 TransportNodeAsyncUtils 75770 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP8817" level="ERROR" subcomp="manager"] Some error occured when configuring host switch on host: Found security-only non-CVDS on the host.;

    2024-xx-xxT19:48:43.322Z ERROR L2HostConfigTaskExecutor5 TransportNodeAsyncServiceImpl 75770 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP8700" level="ERROR" subcomp="manager"] Found security-only non-CVDS on the host.; com.vmware.nsx.management.switching.common.exceptions.SwitchingException: null
  • On the ESXi host, stale nsx properties from the previous install are observed, Even when there are no NSX vibs on the ESXi host  
    [root@ESXi:~] net-dvs -l | grep -E "^switch|com.vmware.nsx.vdsSecurity.enabled|com.vmware.common.alias"
    switch ## ## ## ## ## ## ## ## - ## ## ## ## ## ## ## ## (cswitch)                <<<<< cswitch represents a non-nsx prepared switch for DVS 7.0.3 and above. NSX prepared switch would be vswitch
     com.vmware.common.alias = <DVS-Name> ,         propType = CONFIG
     com.vmware.nsx.vdsSecurity.enabled = true ,         propType = CONFIG           <<<<<

Cause

Improper uninstall of the NSX vibs on the ESXi host may lead to stale entries on the ESXi host. The hosts with stale entries when prepared with NSX will fail.

Resolution

  • Verify the presence of stale entry. A few scenarios when the property is considered stale are 
    • For DVS version 7.0.3 and above, If the user sees "com.vmware.nsx.vdsSecurity.enabled = true" for a "cswitch". cswitch indicates a non-NSX switch, whereas vswitch indicates an NSX prepared switch
    • If the user sees "com.vmware.nsx.vdsSecurity.enabled = true" on a host with NO NSX Vibs  
[root@ESXi:~] net-dvs -l | grep -E "^switch|com.vmware.nsx.vdsSecurity.enabled|com.vmware.common.alias"
switch ## ## ## ## ## ## ## ## -## ## ## ## ## ## ## ## (cswitch)             <<<< cswitch represents a non-nsx prepared switch for DVS version 7.0.3 and above. NSX prepared switch would be vswitch
com.vmware.common.alias = DVS-123 ,         propType = CONFIG
com.vmware.nsx.vdsSecurity.enabled = true ,         propType = CONFIG         <<<< This is considered stale when ESXi host doesn't have NSX VIBs or when the switch type is cswitch

 

[root@ESXi:~] esxcli software vib list | grep -i nsx                          <<<< Command to check NSX VIBs, in this example, the ESXi host doesn't have any NSX VIBs
[root@ESXi:~]

 

  • Perform the below workaround to unset the property only after confirming that "com.vmware.nsx.vdsSecurity.enabled" is stale. 
[root@ESXi] net-dvs -u com.vmware.nsx.vdsSecurity.enabled -p hostPropList DVS-123          <<<< DVS-123 is the switch alias name from the previous step.
 
  • Re-attempt the NSX install



 






 

 

Powered by Wolken Software