Common Symptoms:
CCP session message disconnected state - can be seen this in multiple ways:
NSX UI Alarms: "Control Channel to Transport Node Down" or "Control Channel to Transport Node Down Long".
NSX UI: System > Fabric > Hosts > Transport Nodes shows "Degraded" or "Down" status.
vMotion failures with error: "lcp.ccpSession down". Further details can be found at https://knowledge.broadcom.com/external/article?articleNumber=394198
ESXi command shows: net-dvs -l | grep -i down.
Output: com.vmware.common.opaqueDvs.status.component.lcp.ccpSession = down
New configuration update from API or NSX UI cannot be realized on the Transport Nodes (ESXi Hosts, Edge Nodes or VNA Nodes).
1 Alarms reported by CCP for TN disconnection events (nsx-proxy service or nsx-nestdb service)
1.1 [Control Channel to Transport Node Down] CCP reports a short alarm for a TN disconnection event due to either the nsx-proxy or nsx-nestdb service being down
If the connection between CCP and TN, or the channel between CCP and nsx-nestdb, is down for 3 minutes, CCP will report a disconnection alarm as shown in the image below.
1.2. [Control Channel to Transport Node Down Long] CCP reports long-term alarm for TN disconnection due to nsx-proxy or nsx-nestdb service down
If the connection between CCP and TN, or the channel between CCP and nsx-nestdb, remains down for 15 minutes after the "Controller Channel to Transport Node Down" alarm is raised, a "Control Channel to Transport Node Down Long" alarm will be reported, as shown in the image below.
2. Alarms reported by TN for CCP disconnection event
2.1. [Control Channel to Manager Node Down] TN reports CCP service down short alarm disconnection event
If the connection between CCP and TN is down for 3 minutes, TN will report a disconnection alarm via the MPA channel, as shown in the image below.
2.2. [Control Channel to Manager Node Down Too Long] TN reports CCP service down long alarm disconnection event
If the connection between CCP and TN remains down for 15 minutes after the "Control Channel to Manager Node Down" alarm is raised, a "Control Channel to Manager Node Down Too Long" alarm will be reported via the MPA channel, as shown in the image below.
3. vMotion failure due to 'lcp.ccpSession down'
VM migration will fail with the reason "lcp.ccpSession down" if the connection between CCP and nsx-proxy is down on either the source or destination TN, as shown in the image below.
VMware NSX-T 3.2.x and later
VMware Cloud Foundation
1. Review NSXCLI "get controllers" result on TN (ESXi Node, Edge Node or VNA Node).
1.1. "get controllers" status is "connected"
Controller IP Port SSL Status Is Physical Master Session State Controller FQDN Failure Reasonx.x.x.77 1235 enabled connected true up NA NA
1.2. "get controllers" failed to run
> get controllers
% Failed to get controller list
Action: Please check the status of the nsx-proxy and nsx-nestdb services.
Resolution: Start these services, If they are not running.
#/etc/init.d/nsx-nestdb status
#/etc/init.d/nsx-proxy status
1.3. "get controllers" result is empty
> get controllers
Mon Jan 19 2026 UTC 06:31:32.427
Controller IP Port SSL Status Is Physical Master Session State Controller FQDN Failure Reason
This indicates that the /etc/vmware/nsx/controller-info.xml file is empty.
Actions:
1. Check nsx-opsagent service is up and running on TN: /etc/init.d/nsx-opsagent status
2. Check nsx-proxy connectivity with manager. Execute the command below using NSXCLI on TN to verify that the "get managers" result is connected.
> get managers
Wed Jan 14 2026 UTC 13:26:05.437
- x.x.x.77 Connected (NSX-RPC) *
3. Check the channel status between nsx-opsagent and nsx-proton services.
Resolution: Take appropriate steps based on the issues identified while performing the actions.
1.4. "get controllers" status is "disconnected"
On ESX, Log location <LOG_FILE> : /var/run/log/nsx-syslog.log
On Edge, Log location <LOG_FILE>: /var/log/syslog
On VNA, Log location <LOG_FILE>: /var/log/syslog
1.5. Connection Failure Reason Identification Guide
Table helps you to identify the failure reason by analyzing nsx-proxy logs on TN in following cases:
- "get controllers" output "Failure Reason" column is empty.
- "get controllers" output "Failure Reason" column shows "NA".
- "get controllers" output "Failure Reason" does not match the failure reason listed in the table.
Failure Reason | Identification |
CERT_VALIDATION_FAILED | Example log:
|
CONNECTION_REFUSED | Example log:
|
CONNECTION_TIMED_OUT | Example log:
|
CONTROLLER_REJECTED_HOST_CERT
| Example log (NSX 4.1+): Example log (Until 4.1):
|
CONTROLLER_UNREACHABLE
| Example log:
|
CRL_CERTIFICATE_REVOKED
| Example log:
|
CRL_VALIDATION_FAILED
| Example log:
|
HOST_NOT_FOUND
| Example log:
|
HOST_REJECTED_CONTROLLER_CERT
| Example log:
|
| MAINTENANCE_MODE | Example output:
|
VERSION_MASTERSHIP_HANDSHAKE_FAILURE | Connection is establishing with CCP but the VersionMastershipHandshake is failing. Complete handshake complete logs: stub creation failure with Version Mastership Handshake service:Version Check logs and failures: GetMaster call logs and failures: DataSync logs and failures (V2 Only - NSX 9.0 and above): |
1.6. Failure Reason Resolution Guide
This table helps you quickly identify the issue and what to do about it.
Failure Reason | Root Cause | Resolution |
CERT_VALIDATION_FAILED
| Controller certificate was created with wrong settings or configurations.
|
#openssl x509 -in <controller_cert> -text
|
CONNECTION_REFUSED | NSX Controller service is not running on NSX Manager |
|
CONNECTION_TIMED_OUT | Cannot reach NSX Manager (due to firewall or network issue) |
|
CONTROLLER_REJECTED_HOST_CERT
| TN certificate validation failed on the Controller side. The TN certificate may be expired, not trusted, or invalid.
|
#openssl x509 -in /etc/vmware/nsx/host-cert.pem -text
#grep -ia "NsxTrustManager" /var/log/cloudnet/nsx-ccp.log
#grep -ia "NsxTrustManager" /var/log/cloudnet/nsx-ccp.log | grep -ia "Untrusted Chain\|Client certificate not allow-listed:\|Client certificate not white-listed:"
#grep -ia "Certificate expired" /var/log/cloudnet/nsx-ccp.log
#grep -ia "Certificate not valid yet for" /var/log/cloudnet/nsx-ccp.log
#egrep -ia "(CRL check failed:|Certificate revoked for)" /var/log/cloudnet/nsx-ccp.log
|
CONTROLLER_UNREACHABLE
| Resolved FQDN IP address is not reachable.
|
|
CRL_CERTIFICATE_REVOKED
| Controller certificate has been revoked (marked as untrusted).
|
#/opt/vmware/nsx-nestdb/bin/nestdb-cli --json --cmd get vmware.nsx.nestdb.CrlCertificatesCacheMsg
|
CRL_VALIDATION_FAILED
| Certificate trust store service issue on NSX Manager.
|
#/etc/init.d/nsx-proton status #/etc/init.d/nsx-appl-proxy status
|
HOST_NOT_FOUND
| Host cannot find NSX manager by name (DNS issue)
|
|
HOST_REJECTED_CONTROLLER_CERT
| Controller certificate has expired, or not trusted by nsx-proxy on TN.
|
#grep -ia "Certificate validation failed" <LOG_FILE> | grep -ia nsx-proxy
|
MAINTENANCE_MODE | TN is in maintenance mode (expected during upgrades or patching) |
|
VERSION_MASTERSHIP_HANDSHAKE_FAILURE | In this case, the "get controller" status is set to "disconnected" with "Failure Reason" as "NA" due to a version mastership handshake failure with the Controller. |
|
1.7. List of services involved in maintaining controller connectivity healthy
| Node Type | Service Name | Service Status Command | Service Start Command | Reason |
| TN | nsx-proxy | /etc/init.d/nsx-proxy status | /etc/init.d/nsx-proxy start | Needed for interaction/connection with UA CCP service. |
| TN | nsx-opsagent | /etc/init.d/nsx-opsagent status | /etc/init.d/nsx-opsagent start | Needed for controller info details which is used by nsx-proxy to connect to UA CCP service. |
| TN | nsx-nestdb | /etc/init.d/nsx-nestdb status | /etc/init.d/nsx-nestdb start | Needed for CCP to push policy configuration to the NestDB on TN. |
| UA | nsx-ccp | /etc/init.d/nsx-ccp status | /etc/init.d/nsx-ccp start | Needed for TN, for nsx-proxy to connect to CCP. |
| UA | nsx-appl-proxy | /etc/init.d/nsx-appl-proxy status | /etc/init.d/nsx-appl-proxy start | Needed for the controller related details which would be sent to TN. |
| UA | nsx-proton | /etc/init.d/nsx-proton status | /etc/init.d/nsx-proton start | Needed for certificate/controller details which would be sent to TN. |
If any of the above listed service is down, then execute service start command as listed above and execute "get controllers" on the TN (ESXi Hosts, Edge Nodes or VNA Nodes) using NSXCLI to check the latest connectivity status.
Execute the nsx_proxy runbook on ESX, Edge or VNA transport node.
If there is any step which fails as part of runbook execution then please follow the remediation mentioned as part of each runbook step.
On 4.2.x and 9.0.x, nsx_proxy runbook is marked as internal. Run the below commands to execute nsx_proxy runbook from nsxcli. (no runbook available for earlier releases)
set service nsx-ods running-level internal
start invocation runbook nsx_proxy
On 9.1.x and above, nsx_proxy runbook is marked as external. Run the below command to execute the nsx_proxy runbook from nsxcli.
start invocation runbook nsx_proxy
Detailed runbook steps
1. Nsx-proxy service statusConclusion : Service nsx-proxy is downRecommendation : Please restart nsx-proxy by invoking `/etc/init.d/nsx-proxy restart`.Artifact Bundle : <none>Steps
Step Number : 1 Step Action : Fetch nsx-proxy service status. Step Result : Service nsx-proxy is down
2. Nsx-opsagent service statusConclusion : Service nsx-opsagent is downRecommendation : Please restart nsx-opsagent by invoking `/etc/init.d/nsx-opsagent restart`.Artifact Bundle : <none>Steps
Step Number : 2 Step Action : Fetch nsx-opsagent service status. Step Result : Service nsx-opsagent is down
3. Nsx-nestDb service statusConclusion : Service nsx-nestdb is downRecommendation : Please restart nsx-nestdb by invoking `/etc/init.d/nsx-nestdb restart`.Artifact Bundle : <none>Steps
Step Number : 3 Step Action : Fetch nsx-nestdb service status. Step Result : Service nsx-nestdb is down
4. Maintenance modeConclusion : Maintenance mode is enabled on this transport node, existing connection between controller channel and transport node is closed.Recommendation : To enable the connection between controller channel and transport node please disable the NSX maintenance mode from the manager UI console.Artifact Bundle : <none>Steps
Step Number : 4 Step Action : Check whether Maintenance mode is enabled on Transport Node. Step Result : Maintenance mode is enabled on this transport node, existing connection between controller channel and transport node is closed.
5. Authenticity verification for appliance-info.xml contentConclusion : Detected duplicate nodes in Appliance nodes configuration settings, node details: [IPv4Address('x.x.x.x')].Recommendation : To get the thumbprint run this following command in NSXCLI on Unified Appliance node 'get certificate api thumbprint'. Login into NSXCLI and run the command 'sync-aph-certificates <manager-hostname-or-ip-address[:port]> username <username> thumbprint <thumbprint> [password <password>]'. Restart nsx-proxy service by invoking `/etc/init.d/nsx-proxy restart' on transport node.Artifact Bundle : <none>Steps
Step Number : 5 Step Action : Check whether Appliance nodes settings are empty or duplicate. Step Result : Detected duplicate nodes in Appliance nodes configuration settings, node details: [IPv4Address('x.x.x.x')].
6. Authenticity verification for controller-info.xml contentConclusion : Detected duplicate nodes in Controller channel configuration settings, node details: [IPv4Address('x.x.x.x')].Recommendation : On Unified Appliance, login into NSXCLI and run 'set ccp-info' to publish the latest Controller channel configuration settings. Please restart nsx-proxy by invoking `/etc/init.d/nsx-proxy restart` to reconfigure the Controller channel configuration settings on this transport node.Artifact Bundle : <none>Steps
Step Number : 6 Step Action : Check whether Controller nodes settings are empty or duplicate. Step Result : Detected duplicate nodes in Controller channel configuration settings, node details: [IPv4Address('x.x.x.x')].
7. Appliance proxy service on UA is downConclusion : Appliance channel ping test failed for nodes: [] and port test failed for nodes: [IPv4Address('x.x.x.x')].Recommendation : For ping failure please fix the network issues as the mentioned Appliance channel nodes are not reachable. For port failure please check cluster status by invoking '/api/v1/cluster/status' and firewall status. For more details, please invoke CCP-TN runbook on Unfiied Appliance.Artifact Bundle : <none>Steps
Step Number : 7 Step Action : Perform ping and port status check for all Appliance channel nodes. Step Result : Appliance channel ping test failed for nodes: [] and port test failed for nodes: [IPv4Address('x.x.x.x')].
8. Controller service on UA is downConclusion : Controller channel ping test failed for nodes: [] and port test failed for nodes: [IPv4Address('x.x.x.x')].Recommendation : For ping failure please fix the network issues as the mentioned Controller channel nodes are not reachable. For port failure please check cluster status by invoking '/api/v1/cluster/status' and firewall status. For more details, please invoke CCP-TN runbook on Unfiied Appliance.Artifact Bundle : <none>Steps
Step Number : 8 Step Action : Perform ping and port status check for all Controller channel nodes. Step Result : Controller channel ping test failed for nodes: [] and port test failed for nodes: [IPv4Address('x.x.x.x')].
9. Controller node rejected TN certificateConclusion : Controller channel has rejected transport node certificate for UUID: d866314b-####-####-####-8048fd906354.Recommendation : To get the thumbprint run this following command in NSXCLI on Unified Appliance node 'get certificate api thumbprint'. Login into NSXCLI and run the command on transport node by providing username, password and thumbprint. 'push host-certificate <hostname-or-ip-address[:port]> username <username> thumbprint <thumbprint>'.Artifact Bundle : <none>Steps
Step Number : 9 Step Action : Perform certification validation for all Controller channel nodes. Step Result : Controller channel has rejected transport node certificate for UUID: d866314b-####-####-####-8048fd906354.
10. TN rejected controller node certificateConclusion : Transport node has rejected Controller channel certificate for node UUID: d866314b-####-####-####-8048fd906354.Artifact Bundle : <none>Steps
Step Number : 10 Step Action : Perform certification validation for all Controller channel nodes. Step Result : Transport node has rejected Controller channel certificate for node UUID: d866314b-####-####-####-8048fd906354.
11. TN rejected Appliance node certificateConclusion : Transport node has rejected Appliance channel certificate for node UUID: d866314b-####-####-####-8048fd906354.Artifact Bundle : <none>Steps
Step Number : 9 Step Action : Perform certification validation for all Appliance channel nodes. Step Result : Transport node has rejected Appliance channel certificate for node UUID: d866314b-####-####-####-8048fd906354.
12. CRL validation for controller node certificate revoked recommendation- !Message key: controller_channel_certificate_revoked type: - rcmd message: | Please replace the Controller channel node certificate using '/api/v1/trust-management/certificates/<cert-id>?action=apply_certificate'.\n\t\t For certificate revocation validation failed, on Unified Appliance execute '/etc/init.d/proton restart' and login into NSXCLI and execute the command 'restart service applianceproxy'.
13. CRL validation for appliance node certificate revoked recommendation- !Message key: appliance_channel_certificate_revoked type: - rcmd message: | Please replace the Appliance channel node certificates using 'api/v1/trust-management/certificates/<certificate-id>?action=apply_certificate&service_type=APH_TN&node_id=<mp-id-corresponding-to-aph>'.\n\t\t To get the thumbprint run this following command in NSXCLI on Unified Appliance node 'get certificate api thumbprint'.\n\t\t On Transport node stop nsx-proxy and execute the NSXCLI command 'sync-aph-certificates <manager-hostname-or-ip-address[:port]> username <username> thumbprint <thumbprint> [password <password>]'.\n\t\t On Transport node, restart nsx-proxy by invoking '/etc/init.d/nsx-proxy restart'.\n\t\t For certificate revocation validation failed, on Unified Appliance login into NSXCLI and execute the command 'restart service applianceproxy' and '/etc/init.d/proton restart'.
14. Transport node certificate expired recommendation- !Message key: transport_node_certificate_expired_rcmd type: - rcmd message: | If the Transport Node<->Controller channel connection is up then execute /api/v1/trust-management/certificates/action/replace-host-certificate/<TN-UUID>.\n\t\t Else, please delete '/etc/vmware/nsx/host-cert.pem', '/etc/vmware/nsx/host-privkey.pem'.\n\t\t On Transport node, restart nsx-proxy by invoking '/etc/init.d/nsx-proxy restart' to generate new certificate file.\n\t\t To get the thumbprint run this following command in NSXCLI on Unified Appliance node 'get certificate api thumbprint'.\n\t\t Login into NSXCLI and run the command on transport node by providing username, password and thumbprint. 'push host-certificate <hostname-or-ip-address[:port]> username <username> thumbprint <thumbprint>'.
15. Controller node certificate expired recommendation- !Message key: controller_cert_expired_rcmd type: - rcmd message: | Please replace the Controller channel node certificate using '/api/v1/trust-management/certificates/<cert-id>?action=apply_certificate'.
16. Appliance node certificate expired recommendation- !Message key: appliance_cert_expired_rcmd type: - rcmd message: | Please replace the Appliance channel node certificates using 'api/v1/trust-management/certificates/<certificate-id>?action=apply_certificate&service_type=APH_TN&node_id=<mp-id-corresponding-to-aph>'.\n\t\t On Transport node stop nsx-proxy by invoking '/etc/init.d/nsx-proxy stop' and execute the NSXCLI command 'sync-aph-certificates <manager-hostname-or-ip-address[:port]> username <username> thumbprint <thumbprint> [password <password>]'.\n\t\t On Transport node, restart nsx-proxy by invoking '/etc/init.d/nsx-proxy restart'.