NSX NCP pods in CrashLoopBackOff due to license violation
search cancel

NSX NCP pods in CrashLoopBackOff due to license violation

book

Article ID: 422870

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • NSX NCP pods are in a CrashLoopBackOff state.

  • Harbor pods fail to deploy, showing an ErrImagePull or ImagePullBackOff status because the underlying network security policies cannot be realized.

Sample Output:

NAMESPACE           NAME                  READY   STATUS             RESTARTS
vmware-system-nsx   nsx-ncp-############  1/2     CrashLoopBackOff   89

  • NSX Manager logs (/var/log/proton/nsxapi.log) report a licensing violation:

2025-12-04T06:31:47.867Z  INFO http-nio-127.0.0.1-7440-exec-1405 LicensingServiceImpl 6231 SYSTEM [nsx@4413 comp="nsx-manager" level="INFO" subcomp="manager"] Feature VPC_SECURITY is not applicable under ON_PREM deployment type while current system applied with editions [{'licenseEdition': {name: NSX Distributed Firewall with Advanced Threat Prevention,baseEditions: ,bypassCheck: false}}, {'lice
nseEdition': {name: nsx.vcf,baseEditions: ,bypassCheck: false}}]
2025-12-04T06:31:47.867Z  INFO http-nio-127.0.0.1-7440-exec-1405 HierarchicalAPIAuthorizationUtils 6231 SYSTEM [nsx@4413 comp="nsx-manager" level="INFO" subcomp="manager"] license violation found

 

  • NSX Operator logs show a failure to create security policies:

2025-12-05T16:09:35. stdout F 2025-12-05 16:09:35.842 INFO    nsx/client.go:325       Checking NSX license
2025-12-05T16:09:46. stdout F 2025-12-05 16:09:46.558 ERROR   securitypolicy/firewall.go:1015 Failed to create/update or delete SecurityPolicy in VPC {"nsxSecurityPolicyId": "harbor-############_allow", "error": "nsx error code: 500157, message: Error while creating objects of type:SecurityPolicy, details: , related error: [{Details: , ErrorCode: 505,  ErrorMessage: This feature is not supported with the current applied license. Please upgrade your license in order to use this feature., ModuleName: common-services}]"}

Environment

VMware Cloud Foundation (VCF) 9.0.x

Cause

The issue only occurs when networkpolicy/securitypolicy custom resource is created with mismatched license. The NSX operator checks for the DFW license. Since DFW is enabled with the license 'VMware Firewall with Advanced Threat Prevention', the NSX SecurityPolicy API is invoked. However, in this case, the DFW and VPC_SECURITY entitlements are mismatched.

The NSX operator restarts when it receives an API response related to a licensing error. The license “VMware Firewall with Advanced Threat Prevention” does not entitle VPC_SECURITY.

Resolution

Workaround: 

If you only have a VCF Networking license without the VPC Security entitlement, do not create NetworkPolicy or SecurityPolicy custom resource in Supervisor namespace. Removing networkpolicy or securitypolicy CR can recover nsx-operator back to normal

 

Powered by Wolken Software