NSX Host preparation fails with an "Host configuration: Found security-only non-CVDS on the host" message
search cancel

NSX Host preparation fails with an "Host configuration: Found security-only non-CVDS on the host" message

book

Article ID: 378540

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

  • NSX host preparation fails at the "Applying NSX switch configuration" stage with the following error in the UI

Transport Node Errors
Host configuration: Found security-only non-CVDS on the host.;

  • The following error would be registered in the NSX Manager /var/log/proton/nsxapi.log 
    ERROR L2HostConfigTaskExecutor5 TransportNodeAsyncUtils 75770 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP8817" level="ERROR" subcomp="manager"] Some error occured when configuring host switch on host: Found security-only non-CVDS on the host.;

    ERROR L2HostConfigTaskExecutor5 TransportNodeAsyncUtils 75770 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP8817" level="ERROR" subcomp="manager"] Some error occured when configuring host switch on host: Found security-only non-CVDS on the host.;

    ERROR L2HostConfigTaskExecutor5 TransportNodeAsyncServiceImpl 75770 FABRIC [nsx@6876 comp="nsx-manager" errorCode="MP8700" level="ERROR" subcomp="manager"] Found security-only non-CVDS on the host.; com.vmware.nsx.management.switching.common.exceptions.SwitchingException: null
  • On the ESXi host, stale NSX properties from a previous install remain, even when there are no NSX VIBs.
    [root@ESXi:~] net-dvs -l | grep -E "^switch|com.vmware.nsx.*.enable|com.vmware.common.alias|com.vmware.common.nsxUplink"
    switch ## ## ## ## ## ## ## ## - ## ## ## ## ## ## ## ## (cswitch)
     com.vmware.common.alias = <DVS_name> ,         propType = CONFIG
     com.vmware.nsx.<property>.enabled = true ,         propType = CONFIG
    Note:
    cswitch represents a non-NSX prepared switch for DVS 7.0.3 and above.
    vswitch represents an NSX prepared switch.

    Some properties show enable, some enabled.
    Stale NSX properties may include (non-exhaustive):
    • com.vmware.nsx.kcp.enable
    • com.vmware.nsx.spf.enabled
    • com.vmware.nsx.vdl2.enabled
    • com.vmware.nsx.vdsSecurity.enabled
    • com.vmware.common.nsxUplink

Environment

VMware NSX 4.2.x

Cause

This issue occurs because the vCenter Server retrieves NSX properties during VPXA or host restarts. These vCenter Database (VCDB) entries override other values during synchronization.

Resolution

This is a condition that may occur in a VMware NSX environment. Upgrading to vSphere 8.0.3 P08 will resolve the issue. 

If upgrade is not available, please consider below workarounds:

Script Execution Instructions

To scan and clean your vCenter Server Appliance (VCSA) and ESXi hosts, please follow these steps:

  1. Transfer the Script copy the cleanup script to the VCSA appliance. Place the file in either the /tmp or /root directory.

  2. Perform a Read-Only Scan run the script and select Option 1. This will scan environment in read-only mode to determine if any cleanup is actually required.

  3. Execute the Cleanup only after reviewing the read-only scan results should you proceed with running the script in cleanup mode against the VC and ESXi hosts.

         

Vcenter :- 

  • Follow these steps to perform the cleanup operation on the vCenter Server Appliance (VCSA)

    1. Stop the VPXD Service Before executing the database cleanup, you must stop the vCenter Server service:

    service-control --stop vmware-vpxd

    2. Backup the VCDB Critical: Always take a backup of the vCenter Database (VCDB) before running the cleanup operation. Run the following command to create the backup in the /var/tmp directory:

    /opt/vmware/vpostgres/current/bin/pg_dump -U postgres -d VCDB -F c -f /var/tmp/vcdb_backup.dump

    Alternative Backup Path: If you prefer or need to back up to the core storage, you can use the following command instead (verify storage space before proceeding): /opt/vmware/vpostgres/current/bin/pg_dump -d VCDB -U postgres -Fp -f /storage/core/VCDBackUp.bak

    3. Execute the Cleanup Script Run the attached Python script (nsx_cleanup.py) to perform the database cleanup.

    • When prompted, select Option 2 (Cleanup Environment).

    • Note: This is the same script used for both vCenter and ESXi host cleanups.

    4. Start the VPXD Service Once the cleanup is complete and the script has successfully exited, restart the vCenter Server service to bring the environment back online:

    service-control --start vmware-vpxd

ESXi :-

  • Engineering team strongly advise using the net-dvs command (examples provided below) to manually update the affected properties on the specific problematic ESXi host.

    net-dvs -s com.vmware.nsx.vdsSecurity.enabled=true -p hostPropList "DSwitch 1"

To run vds_security.py script refer to Enable vdsSecurity property on problematic hosts

Note: If the stale properties reappear on the VDS after a host reboot or after restarting VPXA, this may indicate that the properties are stuck in the vCenter database and are being reapplied to the host during initialization. If this behavior is observed, please open a Support Request with Broadcom for assistance with reviewing and cleaning up the vCenter database entries. For more information, refer to this KB

Attachments

nsx_cleanup.py get_app
vds_security.py get_app
Powered by Wolken Software