NSX Edge node MPA Connectivity Down state due to expired transport node certificate
Article ID: 409760
Updated On:
Products
Issue/Introduction
- Edge nodes in unknown status with MPA Connectivity Down error
- You may see log entries similar to the following
/var/log/syslog of Manager node
2025-09-02T07:46:40.280Z nsx-mgr1.########.local NSX 1464 - [nsx@6876 comp="nsx-manager" errorCode="MP101" level="ERROR" subcomp="ccp"] Closing connection NettyConnection(NettyChannel(local=<MANAGER NODE IP ADDRESS>:1235, remote=<EDGE NODE IP>:58162), active=false) because of unhandled exception io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Certificate expired for UID=########-8985-####-b4be-############ ......
/var/log/syslog of Edge node
2025-09-02T11:13:35.771Z nsx-edge1.########.local NSX 708971 - [nsx@6876 comp="nsx-edge" subcomp="nsx-proxy" s2comp="nsx-rpc" tid="708991" level="INFO"] ConnectionKeeper[4 ssl://<MANAGER NODE IP>:1234] attempting connection from timer callback2025-09-02T11:13:35.787Z nsx-edge1.########.local NSX 708971 - [nsx@6876 comp="nsx-edge" subcomp="nsx-proxy" s2comp="nsx-net" tid="708991" level="WARNING"] StreamConnection[9996 Connecting to ssl://<MANAGER NODE IP:1234 sid:9996] Couldn't connect to 'ssl://<MANAGER NODE IP>:1234' (error: 335544539-short read)
- Validate that host certificate in transport node shows expired using below commands
For example:
EdgeNode# openssl x509 -startdate -enddate -noout -in /etc/vmware/nsx/host-cert.pem
notBefore=Apr 25 07:28:11 2023 GMTnotAfter=Jul 28 07:28:11 2025 GMT <<<
Environment
VMware NSX
Cause
SSL negotiation failure in the control channel connection between the NSX Manager and the NSX Edge TN due to an expired NSX Transport Node certificate.
Resolution
Once the NSX Edge is in the MPA Connectivity Down state, the CARR script cannot be used to regenerate the NSX TN certificate as the NSX Managers can no longer communicate with the Edges.
-
- Once the Edge is in this state, follow the steps in KB Alarm For Transport Node Certificate Has Expired to delete the expired certificate and generate a new, 10 year, certificate.
Note: If you do not have access to CLI on the Edge nodes, it will be necessasry to redeploy the Edges affected to resolve this issue by following Redeploy an Edge VM Appliance.
Additional Information
If the NSX Edge TN certificates are not yet expired, or within the 24 hour grace period, refer to KB Alarm For Transport Node Certificate Expiration Approaching instead.
Another cause for the MPA Connectivity Down state can be found at NSX Edge shows configuration status as MPA Connectivity Down.
If the NSX TN cert has been renewed, and afterwards one or more Edge nodes status remain Failed, it may be due to Edge node config in Failed state due to certificate validation failed.
Feedback
