SSP: Unable to activate features on SSP - No Valid license available banner message seen.

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall

Issue/Introduction

Onboarding NSX Manager to Security Services Platform fails because of a stale or unreachable helm registry set on NSX.

Symptoms:

In SSP-UI, under "NSX Managers -> Connectivity Agent -> View Details," Infrastructure Sync and Inventory Sync are in DOWN/Unknown state after onboarding the NSX manager. There would be a banner on the top of the screen saying "No valid license available". Readiness status shows "Not Ready"
Restarting of proton service as per the KB: https://knowledge.broadcom.com/external/article?articleNumber=390413 does not make any difference.
SSH into SSP-Installer VM using root credentials and execute the below:

k -n nsxi-platform get pods | grep site-service

From the above output, copy the site-service pod name and execute the below:

k -n nsxi-platform logs <site-service-pod-name-copied> | grep -i "reconciler error"

You may notice below type of logs:

2025-04-03T15:18:31.235Z        ERROR   Reconciler error        {"request": {"name":"ee9c8efa-03af-495f-865b-4f602b1d7151","namespace":"nsxi-platform"}, "reconcileID": "d04c820c-9785-4177-a6e9-cec29231d2de", "error": "subreconciler reconcileSetPlatformDeploymentConfig failed: failed to set fields in PlatformDeploymentConfig: error while executing API call to https://nsx-ee9c8efa-03af-495f-865b-4f602b1d7151/policy/api/v1/infra/sites/default/napp/deployment/platform: {\n  \"httpStatus\" : \"BAD_REQUEST\",\n  \"error_code\" : 46011,\n  \"module_name\" : \"NAPP\",\n  \"error_message\" : \"Helm add repo operation failed. Error: looks like https://projects.registry.vmware.com/v2/nsx_application_platform/helm-charts/ is not a valid chart repository or cannot be reached: Get https://projects.registry.vmware.com/v2/nsx_application_platform/helm-charts/index.yaml: dial tcp: lookup projects.registry.vmware.com on ab.cd.ef.gh:53: server misbehaving\\\\n\"\n}"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
        external/io_k8s_sigs_controller_runtime/pkg/internal/controller/controller.go:324
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
        external/io_k8s_sigs_controller_runtime/pkg/internal/controller/controller.go:265
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
        external/io_k8s_sigs_controller_runtime/pkg/internal/controller/controller.go:226

For sample logs of other use cases, refer to the "Cause" section of this KB.

Impact: Features cannot be activated.

Environment

Security Services Platform 5.0, NSX 4.2.0.x, NSX 4.2.1.x

Cause

A stale or unreachable helm registry configured on NSX causes a conflict when onboarding it to Security Services Platform. The following log snippet can identify this issue:

In a support bundle, the log file to check will be of the form site-service-*.log

In a live environment, the logs can be checked directly by logging into the root shell of the Security Services Platform Installer and running "k logs deploy/site-service -n nsxi-platform"

There are a few possible cases where this may be observed, which can be identified using the following log snippets

1. Not reachable - Private or Public repo not reachable anymore

2025-04-03T15:18:31.235Z        ERROR   Reconciler error        {"request": {"name":"ee9c8efa-03af-495f-865b-4f602b1d7151","namespace":"nsxi-platform"}, "reconcileID": "d04c820c-9785-4177-a6e9-cec29231d2de", "error": "subreconciler reconcileSetPlatformDeploymentConfig failed: failed to set fields in PlatformDeploymentConfig: error while executing API call to https://nsx-ee9c8efa-03af-495f-865b-4f602b1d7151/policy/api/v1/infra/sites/default/napp/deployment/platform: {\n  \"httpStatus\" : \"BAD_REQUEST\",\n  \"error_code\" : 46011,\n  \"module_name\" : \"NAPP\",\n  \"error_message\" : \"Helm add repo operation failed. Error: looks like https://projects.registry.vmware.com/v2/nsx_application_platform/helm-charts/ is not a valid chart repository or cannot be reached: Get https://projects.registry.vmware.com/v2/nsx_application_platform/helm-charts/index.yaml: dial tcp: lookup projects.registry.vmware.com on ab.cd.ef.gh:53: server misbehaving\\\\n\"\n}"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
        external/io_k8s_sigs_controller_runtime/pkg/internal/controller/controller.go:324
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
        external/io_k8s_sigs_controller_runtime/pkg/internal/controller/controller.go:265
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
        external/io_k8s_sigs_controller_runtime/pkg/internal/controller/controller.go:226

2. Repo not found - non oci

ERROR\tReconciler error\t{\"request\": {\"name\":\"1d2176d3-2dc4-4739-af49-ee151043b3f8\",\"namespace\":\"nsxi-platform\"}, \"reconcileID\": \"a346ef90-49db-4f6e-9d80-88494ef01fb1\", \"error\": \"subreconciler reconcileSetPlatformDeploymentConfig failed: failed to set fields in PlatformDeploymentConfig: error while executing API call to https://nsx-1d2176d3-2dc4-4739-af49-ee151043b3f8/policy/api/v1/infra/sites/default/napp/deployment/platform: {\\n  \\\"httpStatus\\\" : \\\"BAD_REQUEST\\\",\\n  \\\"error_code\\\" : 46011,\\n  \\\"module_name\\\" : \\\"NAPP\\\",\\n  \\\"error_message\\\" : \\\"Helm add repo operation failed. Error: looks like https://projects.registry.vmware.com/chartrepo/nsx_application_platform is not a valid chart repository or cannot be reached: failed to fetch https://projects.registry.vmware.com/chartrepo/nsx_application_platform/index.yaml : 404 \\\\\\\\n\\\"\\n}\"}"

3. Certificate error - Private harbor was used and certificate got changed or expired

2025-04-03T15:22:04.880Z        ERROR   Reconciler error        {"request": {"name":"ee9c8efa-03af-495f-865b-4f602b1d7151","namespace":"nsxi-platform"}, "reconcileID": "f0abc6f0-99dc-44b3-9cb4-5cb8a043a0d0", "error": "subreconciler reconcileSetPlatformDeploymentConfig failed: failed to set fields in PlatformDeploymentConfig: error while executing API call to https://nsx-ee9c8efa-03af-495f-865b-4f602b1d7151/policy/api/v1/infra/sites/default/napp/deployment/platform: {\n  \"httpStatus\" : \"BAD_REQUEST\",\n  \"error_code\" : 46011,\n  \"module_name\" : \"NAPP\",\n  \"error_message\" : \"Helm add repo operation failed. Error: looks like https://projects.registry.vmware.com/v2/nsx_application_platform/helm-charts/ is not a valid chart repository or cannot be reached: Get https://projects.registry.vmware.com/v2/nsx_application_platform/helm-charts/index.yaml: tls: failed to verify certificate: x509: certificate signed by unknown authority\\\\n\"\n}"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
        external/io_k8s_sigs_controller_runtime/pkg/internal/controller/controller.go:324
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
        external/io_k8s_sigs_controller_runtime/pkg/internal/controller/controller.go:265
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
        external/io_k8s_sigs_controller_runtime/pkg/internal/controller/controller.go:226

Resolution

This is fixed in the next release of SSP.

If the NSX Manager is NOT airgapped, executing the following API on the NSX manager will remediate the issue:

curl --location --request PUT 'https://<nsx-manager-ip>/policy/api/v1/infra/sites/default/napp/deployment/registry/reset' -u admin --insecure

Enter host password for user 'admin':

If onboarding does not succeed after the above step or if the API returns an error similar to:

{
"httpStatus": "BAD_REQUEST",
"error_code": 46014,
"module_name": "NAPP",
"error_message": "Helm search chart operation failed. Exception occurred while calling get tags. Please refer to logs for more details."
}

Please raise a support ticket with Broadcom for further steps to remediate the issue.