NSX Edge transport Node shows MPA disconnected on NSX GUI after replacing internal certificates in NSX 4.1.x
search cancel

NSX Edge transport Node shows MPA disconnected on NSX GUI after replacing internal certificates in NSX 4.1.x

book

Article ID: 411566

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • After renewing internal certificates on NSX managers which were expiring soon (by executing CARR script), the NSX Edge transport nodes remained in MPA disconnected state. 
  • NSX edge VMs are reachable and the ports required for communication with NSX managers (1234, 1235, 443) remain open and succeeded.
  • All the managers shows standby when executed "get managers" command 
  • Syslog on the on the Edge nodes shows "sslv3 certificate unknown" as below 
XXXX-XX-XXTXX:XX:XX.XXXZ <NSXedge-name> NSX 7216 - [nsx@6876 comp="nsx-edge" subcomp="nsx-proxy" s2comp="nsx-net" tid="7236" level="WARNING"] StreamConnection[385 Connecting to ssl://<NSX_Manager_IP>:1235 sid:385] Couldn't connect to 'ssl://<NSX_manager_IP>:1235' (error: 336151574-sslv3 alert certificate unknown)

Environment

4.1.0.2

Cause

Sometimes the host certificates couldn't be updated properly on the failed edge nodes by the NSX managers and this might result in such inconsistent state of Edge nodes. 

Resolution

To resolve the error, perform below actions on the failed edge node

Get the certificate thumbprint from NSX manager executing command  get certificate api thumbprint

On the Edge node, in the admin prompt, execute below to sync certificates and restart nsx-proxy 

  • sync-aph-certificates NSX-Manager-IP username admin thumbprint <thumbprint> password <password>
  • /etc/init.d/nsx-proxy restart

 

Additional Information

If the issue still persists on the Edge node, perform below actions 

Backup existing certificate and private key and remove them from the edge node as below 

  • cp /etc/vmware/nsx/host-cert.pem  /etc/vmware/nsx/host-cert.pem.old
  • cp /etc/vmware/nsx/host-privkey.pem /etc/vmware/nsx/host-privkey.pem.old
  • rm -f  /etc/vmware/nsx/host-cert.pem /etc/vmware/nsx/host-privkey.pem

Execute sync-aph-certificates and restart nsx-proxy as below

  • sync-aph-certificates NSX-Manager-IP username admin thumbprint <thumbprint> password <password>
  • /etc/init.d/nsx-proxy restart

Then push host-certificate to NSX manager as below 

  • push host-certificate <manager-IP-FQDN> username <username> thumbprint <cert-api-thumbprint-of-manager> password <password>

Refer KB 369349

Powered by Wolken Software