Virtual machine vMotion operations fail for VMs residing on NSX segments. The inability to add or change network interfaces on VMs may also be observed.

This issue typically manifests when the underlying ESXi hosts, which are configured as NSX Transport Nodes, transition into a "host disconnected" state within the NSX-T Manager UI.

• vMotion failure for VMs connected to NSX segments.

• Inability to add or change network interfaces on VMs.

• Error messages in vCenter or during vMotion attempts may indicate communication issues with NSX or the host's inability to participate in NSX operations.

• The failing operation presents an error similar to:

  "Currently connected network interface" 'Network adapter #' uses network 'DVSwitch[## ## ## ## ## ## ## ##-## ## ## ## ## ## ## ##] NSX port group [dvportgroup-####](lcp.ccpSession down)', which is not accessible

• VMware NSX

• VMware NSX-T Data Center

The primary cause is related to expired internal NSX certificates on these host transport nodes, which disrupts communication between the hosts and the NSX management plane.

1. Run the CARR Script

• Run the CARR Script: Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX

• NOTE: When utilizing the CARR script in regards to CBM certificates in versions of NSX 4.1.2 and below, due to folder/file permission issues the script might not replace the certificates on the first run. Subsequent tries will replace the certs. Make sure to run the script a second time should you still see the expired certificates in use.

2. Verify Certificate Replacement and Host State

• After the script completes, allow some time for NSX to resynchronize with the hosts.

• If the hosts are not coming back, click on the disconnected alarm for the Transport node, and resolve the error.

• Monitor the NSX-T Manager UI to confirm that all previously "disconnected" host transport nodes return to a "Success" or "Up" state.

3. Test Operations

• Once all hosts are in a healthy state, attempt vMotion operations for VMs on NSX segments.

• Also, try to change/add network interfaces and verify the issue is fixed.

The CARR script specifically targets and replaces the expired internal certificates that are causing the communication breakdown between the NSX Managers and the transport nodes. By renewing these certificates, the secure communication channel is re-established, allowing hosts to properly integrate with NSX, clearing their "Failed" status, and enabling dependent operations like vMotion to function correctl