SSP deployment failed while deploying cert-manager
search cancel

SSP deployment failed while deploying cert-manager

book

Article ID: 424041

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

During the SSP deployment, cert-manager pods failed to initialize properly, and observed below error in cert-manager pod logs  

To validate the issue, the following checks were performed:

  1. Logged into the SSP Installer CLI  using root credentials  if SSP version = 5.0 or sysadmin credentials for SSP v > 5.0

  2. Executed the command to list pods related to cert-manager:

             k get pods -A | grep cert-manager 

     3. Check logs of the cert-manager  pod listed in Step:2

            k -n cert-manager logs <cert-manager-pod-name>

Error Snapshot:

 Error from server (InternalError): error when creating "STDIN": Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": context deadline exceeded
2025-12-04T15:28:01.477236523+00:00 stdout F Failed to apply self-signed Issuer template.
2025-12-04T15:28:01.477264855+00:00 stdout F Cert-Manager is not ready yet. Retrying in 10 seconds..

 

Environment

SSP  deployments  ( all versions) 

Cause

Issue due to same VLAN being used for SSP as NSX TEP VLAN . SSP deployment failed due to unsupported mode (2 TEPs tunneling in same ESxi host- one in NSX TEP and one in SSP) both can not be same VLAN.

STEP1: Verify VLANID details on NSX TEP

  • Open a browser and go to your NSX Manager URL.

  • Log in with an account that has admin/fabric privileges.

  • The transport (TEP) VLAN is defined in the uplink profiles assigned to transport nodes, because NSX uses these profiles to tag the overlay/transport VLAN for TEP interfaces (Geneve encapsulated traffic).

                Go to: System → Fabric → Profiles → Uplink Profiles

                Select the uplink profile used by your host transport nodes and In the uplink profile settings, look for the VLAN field — this is the VLAN used for the NSX transport (TEP) overlay.

 

STEP2:  Verify VLANID details configured to use for SSP 

 

  • Log in to the vCenter Server

    • Open the vSphere UI and log in with appropriate credentials.

  • Navigate to the Networking View

    • In the left-hand inventory tree, click on Networking to show the list of distributed switches.

  • Select the Distributed Virtual Switch

    • Click on the vDS where your port group is located.

  • Open the Port Groups List

    • Under the vDS, expand Distributed Port Groups to view all port groups associated with that vDS.

  • Select the Port Group

    • Click on the specific Distributed Port Group  being used to deploy the SSP and get the VLANID details as below 

 

 

Resolution

Using different VLANs for SSP and NSX TEP traffic resolves the issue because NSX requires separate transport domains for the host TEP and edge/SSP TEP networks — if both TEPs share the same VLAN, tunnel formation fails since the ESXi host cannot correctly forward Geneve/TEP traffic between them. Placing SSP’s TEP on a different VLAN than the NSX host TEP ensures proper routing and successful deployment.

 

Additional Information

if issue persists please contact Broadcom support for the resolution 

Powered by Wolken Software