"DNS configuration check on the Edge" blocking the edge upgrade or NSX Edge Node upgrade fails with the error "download and verify bundle failed with msg: closing connection 5
search cancel

"DNS configuration check on the Edge" blocking the edge upgrade or NSX Edge Node upgrade fails with the error "download and verify bundle failed with msg: closing connection 5

book

Article ID: 403857

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Since 4.1.0 release,FQDN requirement is introduced on the trust store service, which decides whether an IP address is used to communicate with NSX manager or the FQDN from the edge appliance.

  • FQDN requirement will be enabled true, if NSX manager is deployed using static management IP address and uses CA certificate as a trust or if the NSX manager is created in dual stack. NUB url to download the NUB file from NSX manager will be created with FQDN, if FQDN requirement is enabled on the NSX manager.

  • As DNS configuration is not a mandatory configuration on the edge transport node, edge upgrade will fail, if DNS configuration is not present on the edge appliance created using static management IP as the NUB URL with FQDN will not be resolved.
  •  
  • Ping to NSX Manager IP address from NSX Edge fails

Environment

VMware NSX

Cause

  • During edge upgrade, upgrade coordinator(UC) creates edge nub url, using which the edge appliance downloads the nub bundle from NSX manager by hitting this url.

  • If FQDN requirement is enabled on NSX manager, this nub url is created using FQDN. When edge uses this nub url to download the nub bundle from NSX manager, the FQDN must be resolved at edge appliance. Hence a DNS configuration is required on the edge appliance created using static management IP address and does not have a DNS configured on it.

  • As DNS configuration is not a mandatory configuration on the edge transport node, edge upgrade will fail, if DNS configuration is not present on the edge appliance created using static management IP.

Resolution

This issue is currently not fixed in any of the available NSX versions. 

Workaround:

As a workaround, user should configure DNS on the edge appliances which are created using static management IP address and does not have a DNS configured on it. This is an issue in scale setups, where user has to go and configure DNS on each edge transport nodes.

Steps:

  1. Download the script from the KB
        Script: configure_edge_dns.py
  2. Copy the script to one of the NSX Managers
       scp  configure_edge_dns.py  root@<manager-IP>:/tmp/
  3.  Execute the script (Login as Root user)
    1. ssh on to the NSX manager(<manager-IP>)  where the script got copied as a root user.
         ssh root@<manager-IP>
    2. Execute the python script using the following command
        python /tmp/configure_edge_dns.py

Script Execution:

Script execution is going to be interactive. If the FQDN requirement is disabled on the NSX manager, it will print the following,

Output of the script when FQDN requirement is disabled on the NSX manager:

FQDN requirement is not enabled on the NSX-T manager. DNS configuration check is not required.

Script executed successfully.

If the FQDN requirement is enabled on the NSX manager, and if there are edges created using static management address and do not have DNS configured on it, script will fetch the DNS configured on the NSX manager and show that to the user, user can choose it or give a new DNS configuration. (Prefer the DNS configured on the NSX manager) and the script will apply this DNS configuration on all the impacted edge transport nodes.

Output of the script when FQDN requirement is enabled on the NSX manager and the DNS is applied successfully on the required impacted edge transport nodes:

FQDN requirement is enabled on the NSX-T manager. DNS configuration is required on edge nodes which has static IP on the management interface.
Proceed to update DNS Server IPs on the impacted edge transport nodes? (yes/no): yes

DNS Server IPs configured on NSX-T manager: 10.#.#.#

Do you want to use these DNS Server IPs set at NSX-T manager? (yes/no): yes
You are about to configure DNS server 10.#.#.# on edge node(s)? (yes/no): yes
Script executed successfully.

Logs on the script execution can be found at

Log location on the NSX manager

/var/log/proton/configure_edge_dns_execution.log 

Additional Information

From Version To Version

Impact

 NSX manager Upgrade UI Logs
Any version from 4.1.x and above Any version to 9.0 or above

"DNS configuration check on the Edge" gets raised and blocks upgrade on UI

Log location on the NSX manager: /var/log/upgrade-coordinator/upgrade-coordinator.log

 
2026-02-03T07:16:00.398Z WARNING pool-36-thread-8 UpgradeServiceImpl 2856583 SYSTEM [nsx@4413 comp="nsx-manager" level="WARNING" logger="UpgradeServiceImpl" msgID="SYSTEM" subcomp="upgrade-coordinator" threadName="pool-36-thread-8"] [PUC] Pre-upgrade check InspectionTaskInfo[acknowledgement=false,componentType=EDGE,description=This precheck prevents the upgrade from proceeding if DNS is not set up on an edge/VNA node that needs to download the upgrade nub via the NSX Manager URL using FQDN.,id=edgeDNSConfigCheck,name=DNS configuration check on the Edge/VNA,needsAcknowledgement=false,needsResolution=false,resolution=false,resolutionError=<null>] failed with result BasicInspectionTaskResult{status=FAILURE, taskInfo=InspectionTaskInfo[acknowledgement=false,componentType=EDGE,description=This precheck prevents the upgrade from proceeding if DNS is not set up on an edge/VNA node that needs to download the upgrade nub via the NSX Manager URL using FQDN.,id=edgeDNSConfigCheck,name=DNS configuration check on the Edge/VNA,needsAcknowledgement=false,needsResolution=false,resolution=false,resolutionError=<null>], failureMessages=null, failures=[{"moduleName":"upgrade-coordinator","errorCode":36011,"errorMessage":"DNS is not set up on Edge with ID 'ebaa####-e1a7-####-8564-a3b####0756d'. Cannot resolve the fqdn to fetch the upgrade bundle from NSX manager. Kindly refer to https://knowledge.broadcom.com/external/article/403857"}]}

 
Any version from 4.1.x and above Any version to 4.1.x or 4.2.x

Edge upgrade will fail in download OS step, while downloading the nub file.

 Log location on the NSX manager: /var/log/upgrade-coordinator/upgrade-coordinator.log

2026-02-05T07:32:44.075Z  INFO task-executor-7-1-workitem-EDGE-1####de-63d9-4##2-a##8-db#####e1##9 UcRepositoryServiceImpl 1405248 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="upgrade-coordinator"] fqdn_required flag for (dc1###42-784c-4##b-c##d-c0b#####f874 : ipv4 192.1##.##0.0 ipv6 ##00::5:75) node is true.
2026-02-05T07:33:16.704Z  INFO task-executor-7-1-workitem-EDGE-EDGE-1####de-63d9-4##2-a##8-db#####e1##9-rpc UpgradeMessagingServiceImpl 1405248 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="upgrade-coordinator"] decoding message, message bus type=com.vmware.nsx.upgrade_agent.PrepareUpgradeResponseMsg expected type=com.vmware.nsx.upgrade_agent.UagentMessage.PrepareUpgradeResponseMsg
2026-02-05T07:33:16.704Z  INFO task-executor-7-1-workitem-EDGE-EDGE-1####de-63d9-4##2-a##8-db#####e1##9-rpc UpgradeMessagingServiceImpl 1405248 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="upgrade-coordinator"] decoded type=com.vmware.nsx.upgrade_agent.PrepareUpgradeResponseMsg msg=header {
  state: CMD_ERROR
  info: "*   Trying (with httplib) sr026862-nsxmanager-ob-24278654-1-2602######49-###a-sr0####2.private.########.net:443...\n* Closing connection 0\nWarning: Transient problem:  Will retry in 1 seconds. 5 retries left.\n*   Trying (with httplib) sr026862-nsxmanager-ob-24278654-1-2602######49-###a-sr0####2.private.########.net:443...\n* Closing connection 1\nWarning: Transient problem:  Will retry in 2 seconds. 4 retries left.\n*   Trying (with httplib) sr026862-nsxmanager-ob-24278654-1-2602######49-###a-sr0####2.private.########.net:443...\n* Closing connection 2\nWarning: Transient problem:  Will retry in 4 seconds. 3 retries left.\n*   Trying (with httplib) sr026862-nsxmanager-ob-24278654-1-2602######49-###a-sr0####2.private.########.net:443...\n* Closing connection 3\nWarning: Transient problem:  Will retry in 8 seconds. 2 retries left.\n*   Trying (with httplib) sr026862-nsxmanager-ob-24278654-1-2602######49-###a-sr0####2.private.########.net:443...\n* Closing connection 4\nWarning: Transient problem:  Will retry in 16 seconds. 1 retries left.\n*   Trying (with httplib) sr026862-nsxmanager-ob-24278654-1-2602######49-###a-sr0####2.private.########.net:443...\n* Closing connection 5\ncurl_wrapper: (28) Failed to connect to sr026862-nsxmanager-ob-24278654-1-2602######49-###a-sr0####2.private.########.net port 443: [Errno -3] Temporary failure in name resolution\n"
2026-02-05T07:33:25.549Z  INFO http-nio-127.0.0.1-7442-exec-4 UpgradeCoordinatorFacadeImpl 1405248 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="upgrade-coordinator"] Component: EDGE, status: FAILED, % complete: 16.0, details: Prepare edge upgrade bundle https://sr026862-nsxmanager-ob-24278654-1-2602######49-###a-sr0####2.private.########.net/repository/4.2.3.0.0.24866349/Edge/nub/VMware-NSX-edge-4.2.3.0.0.24866356.nub failed on edge TransportNode EDGE-1####de-63d9-4##2-a##8-db#####e1##9: clientType EDGE , target edge fabric node id EDGE-1####de-63d9-4##2-a##8-db#####e1##9, return status Download and verify bundle failed with msg: Closing connection 5 ., canSkip: true

 

Attachments

configure_edge_dns.py get_app
Powered by Wolken Software