MPA connection is down due to certificate mismatch between Edge and Manager
search cancel

MPA connection is down due to certificate mismatch between Edge and Manager

book

Article ID: 412483

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • management_channel_to_transport_node_down alarm is raised for the target Edge node.
  • You see messages similar to the following in /var/log/syslog.log on the target Edge node:
    ####-##-##T##:##:##.###Z nsxedge NSX 25651 - [nsx@6876 comp="nsx-edge" subcomp="nsx-proxy" s2comp="nsx-rpc" tid="25652" level="INFO"] ConnectionKeeper[5 ssl://<Manager_IP>:1234] attempting connection from timer callback
####-##-##T##:##:##.###Z nsxedge NSX 25651 - [nsx@6876 comp="nsx-edge" subcomp="nsx-proxy" s2comp="nsx-rpc" tid="25652" level="INFO"] ConnectionKeeper[4 ssl://<Manager_IP>:1234] attempting connection from timer callback
####-##-##T##:##:##.###Z nsxedge NSX 25651 - [nsx@6876 comp="nsx-edge" subcomp="nsx-proxy" s2comp="nsx-rpc" tid="25652" level="INFO"] ConnectionKeeper[6 ssl://<Manager_IP>:1234] attempting connection from timer callback
####-##-##T##:##:##.###Z nsxedge NSX 25651 - [nsx@6876 comp="nsx-edge" subcomp="nsx-proxy" s2comp="nsx-net" tid="25652" level="WARNING"] StreamConnection[416 Connecting to ssl://<Manager_IP>:1234 sid:416] Couldn't connect to 'ssl://<Manager_IP>:1234' (error: 335544539-short read)
  • You see messages similar to the following in /var/log/syslog.log on a Manager node:
    ####-##-##T##:##:##.###Z nsxmanager NSX 3005 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="ccp"] Unknown peer certificate received:   [0]         Version: 3#012         SerialNumber: ########################             IssuerDN: UID=<Edge_UUID>...
####-##-##T##:##:##.###Z nsxmanager NSX 3005 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="ccp"] error javax.net.ssl.SSLHandshakeException: Unknown peer certificate. Rejected host while writing to javax.net.ssl.SSLHandshakeException: Unknown peer certificate. Rejected host#012#011at...

Environment

VMware NSX

Cause

A certificate mismatch between Edge and Manager happened due to some reasons in the past.

Resolution

Pushes host certificate to management plane by the following command to resolve the certificate mismatch between Edge and Manager. Please refer to NSX CLI Guide.

nsxedge> push host-certificate <manager-hostname-or-ip-address-and-optional-port-arg> username <api-username> thumbprint <api-thumbprint>
Powered by Wolken Software