Host show disconnected after APH certificate expires on the NSX managers
search cancel

Host show disconnected after APH certificate expires on the NSX managers

book

Article ID: 424553

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

ESXi host shows disconnected in the NSX UI as seen in the following screenshot:

Also you might see the edges showing as MPA connectivity down 

Environment

VMware NSX 

Cause

NSX manager APH certificates expired, which are used for communication between the NSX managers and the transport notes and edges 

 

Resolution

Run the CARR Script to fix the certificated on the NSX manager:

Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX

If we still see that the host show as disconnected after renewing the certificates on the NSX manager then follow the next steps:

 
  1. Get a putty session to an NSX manager as  root and run the following command:
    •  get certificate api thumbprint
  2. After we have the thumbprint of a manager, open a putty session to the ESXI that is being impacted and run the following commands 
    • nsxcli
  3. Once there we are going to have to gather information for the next commands 
    • Manager FQDN
    • Manager api thumbprint  ( this is gather on the step above with get certificate)
    • User ( this should be admin)
    • Password 
  4. Command that will be need to be run on the impacted host 
    • push host-certificate <manager-IP-FQDN> username <username> thumbprint <cert-api-thumbprint-of-manager> password <password>
    • sync-aph-certificates <manager-IP-FQDN> username <username> thumbprint <cert-api-thumbprint-of-manager> password <password>
  5. Once  both commands are ran, type exit to get out of nsxcli and then run the following commands
    • /etc/init.d/nsx-proxy restart
    • /etc/init.d/nsx-opsagent restart
  6. You may need to click Resolve in the NSX UI under the Transport Nodes status to clear the error after these steps.

 

For the Edge

Run the following commands 

  1. Get a putty session to an NSX manager as  root and run the following command:
    •  get certificate api thumbprint
  2. After we have the thumbprint of a manager, open a putty session to the edge and log in as admin
  3. Once there we are going to have to gather information for the next commands 
    • Manager FQDN
    • Manager api thumbprint  ( this is gather on the step above with get certificate)
    • User ( this should be admin)
    • Password 
  4. Command that will be need to be run on the impacted host 
    • push host-certificate <manager-IP-FQDN> username <username> thumbprint <cert-api-thumbprint-of-manager> password <password>
    • sync-aph-certificates <manager-IP-FQDN> username <username> thumbprint <cert-api-thumbprint-of-manager> password <password>
  5. Once  both commands are ran, type st en to get into root and then run the following commands
    • /etc/init.d/nsx-proxy restart
    • /etc/init.d/nsx-opsagent-appliance restart

For this component give it a couple minutes and you should be able to see them come back and green

Additional Information

Verify Appliance Proxy Hub on all NSX Manager Nodes are Connected

 

 

 

Powered by Wolken Software