Impact of disabling shell access for service users (nsx_user, da_user, and mux_user) on ESXi hosts in VMware Cloud Foundation
search cancel

Impact of disabling shell access for service users (nsx_user, da_user, and mux_user) on ESXi hosts in VMware Cloud Foundation

book

Article ID: 427094

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

In a VMware Cloud Foundation (VCF) environment, shell access for the local accounts nsx_user, da_user, and mux_user may have been manually disabled during host hardening or security audits. You might observe that while the root user has shell access, these specific accounts are set to false.

Disabling shell access for these accounts causes critical failures in the NSX networking stack, security policy synchronization, and SDDC Manager lifecycle operations.

Symptoms include:

  • NSX Manager loses visibility into virtual switch status (VDS/N-VDS), showing "Unknown" or "Down" in the UI.

  • Host preparation failures during NSX upgrades or reconfigurations.

  • SDDC Manager pre-check failures during "Update/Patch" or "Expand Cluster" workflows.

  • Distributed Firewall (DFW) rules fail to propagate to affected transport nodes.

Environment

 

  • Product: VMware Cloud Foundation (VCF)

  • Component: NSX-T / NSX

  • Host: ESXi (All versions within VCF)

 

Cause

The accounts nsx_user, da_user, and mux_user are not standard user identities; they are critical service identities used by the NSX management and control planes. The management plane executes remote commands via the shell to orchestrate the data plane. Restricting this access prevents the environment from maintaining its "Desired State."

Resolution

To resolve this issue and prevent management plane disruption, you must ensure that shell access is enabled for these three service identities on all ESXi hosts within the VCF environment.

  1. Log in to the ESXi host via SSH or Console as root.

  2. Verify the current shell status for the service users.

  3. Re-enable shell access for nsx_user, da_user, and mux_user to ensure they are set to true.

  4. Perform a "Retry" on any failed SDDC Manager workflows or NSX host preparation tasks to confirm communication is restored.

Additional Information

Disabling these users impacts specific functional modules:

  • nsx_user: Primary management account for DFW and logical switch updates.

  • da_user (Data Agency): Required for service insertion and guest introspection.

  • mux_user (Multiplexer): Handles communication for Endpoint Protection.

Subscribe to this knowledge article to get updates on this issue.

Related Content:

Powered by Wolken Software