NSX load balancer pool member is down after NSX edge upgrade from NSX 3.2 to NSX 4.2
Article ID: 393524
Updated On:
Products
VMware NSX
Issue/Introduction
- Pool member is down after NSX edge upgrade from NSX 3.2 to NSX 4.2.
- NSX manager UI shows
'SSL handshake failure'. - Testing SSL connection from NSX edge to pool member with specified cipher and SSL protocol shows handshake failure.
openssl s_client -connect <virtual-ip>:<port> -cipher <new-cipher-name> -tls1_2
Environment
VMware NSX
Cause
Cipher mismatch between NSX and pool members.
Resolution
- In NSX manager UI go to
Load Balancing > Profiles > SSLexpand the profile configured and check'Supported SSL Ciphers'. Check if supported ciphers on both pool members and NSX manager match. - In case of any difference edit existing SSL profile or create a new SSL profile with required ciphers.
- For more information, Refer: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/load-balancer/setting-up-load-balancer-components/setting-up-virtual-server-components/add-an-ssl-profile.html
Additional Information
If SSL ciphers are matching please open a support case with Broadcom.
Customer can also create a custom Client and Server SSL Profile using the custom option in the manager UI. Reference screenshot:
Also refer: Server pool in Degraded state after upgrading to NSX 4.2.x
NSX 4.2 upgrades to OpenSSL 3.0. OpenSSL 3.0 has stricter requirements for SSL protocol, cipher suite and certificates. Please refer to following KB for more information.
How to remediate NSX load balancer upgrade pre-check failing with message regarding OpenSSL 3.0 compliance
Feedback
Yes
No
Powered by
