NSX Edge transport Node shows MPA disconnected on NSX GUI after replacing internal certificates in NSX 4.#
search cancel

NSX Edge transport Node shows MPA disconnected on NSX GUI after replacing internal certificates in NSX 4.#

book

Article ID: 411566

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • After renewing internal certificates on NSX managers, which were expiring soon (by executing CARR script), the NSX Edge transport nodes remained in MPA disconnected state. 
  • NSX edge VMs are reachable and the ports required for communication with NSX managers (1234, 1235, 443) remain open and succeeded.
  • All the NSX managers shows standby when executed get managers command

  • Syslog on the on the Edge nodes shows "sslv3 certificate unknown" as below 
####-##-##T##:##:##.###Z <NSXedge-name> NSX 7216 - [nsx@6876 comp="nsx-edge" subcomp="nsx-proxy" s2comp="nsx-net" tid="7236" level="WARNING"] StreamConnection[385 Connecting to ssl://<NSX_Manager_IP>:1235 sid:385] Couldn't connect to 'ssl://<NSX_manager_IP>:1235' (error: 336151574-sslv3 alert certificate unknown)

Cause

Sometimes the host certificates couldn't be updated properly on the failed edge nodes by the NSX managers and this might result in such inconsistent state of Edge nodes. 

Resolution

To resolve the error, perform below actions on the failed edge node: 

  1. Get the certificate thumbprint from any NSX manager executing command 
    • get certificate api thumbprint
  1. On the Edge node, in the admin prompt, execute below to sync certificates and restart nsx-proxy 
    • push host-certificate <manager-IP-FQDN:port> username <username> thumbprint <cert-api-thumbprint-of-manager> password <password>
    • sync-aph-certificates <NSX-Manager-IP> username admin thumbprint <thumbprint> password <password>
    • /etc/init.d/nsx-proxy restart
      • Must be ran in the root of the Edge Node 
    • /etc/init.d/nsx-opsagent appliance restart
      • Must be ran in the root of the Edge Node 

 

Additional Information

If the issue still persists on the Edge node, perform below actions 

Backup existing certificate and private key and remove them from the edge node as below 

  • cp /etc/vmware/nsx/host-cert.pem  /etc/vmware/nsx/host-cert.pem.old
  • cp /etc/vmware/nsx/host-privkey.pem /etc/vmware/nsx/host-privkey.pem.old
  • rm -f  /etc/vmware/nsx/host-cert.pem /etc/vmware/nsx/host-privkey.pem

Get the certificate thumbprint from any NSX manager executing command 

    • get certificate api thumbprint

Execute push host-certificate and sync-aph-certificates to the NSX Manager and restart nsx-proxy and nsx opsagent as below:

  • push host-certificate <manager-IP-FQDN> username <username> thumbprint <cert-api-thumbprint-of-manager> password <password>
  • sync-aph-certificates NSX-Manager-IP username admin thumbprint <thumbprint> password <password>
  • /etc/init.d/nsx-proxy restart
    • Must be done from root
  • /etc/init.d/nsx-opsagent appliance restart
    • Must be done from root

Refer KB 369349

Powered by Wolken Software