NSX Standby GM cluster shows disconnected after APH-AR (Appliance Proxy Hub - Async Replicator) certificate expiration
search cancel

NSX Standby GM cluster shows disconnected after APH-AR (Appliance Proxy Hub - Async Replicator) certificate expiration

book

Article ID: 429189

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

In an NSX Federation environment with Active and Standby Global Managers, you may experience the following symptoms after manually replacing internal certificates:

  • The Active Global Manager reports the Standby Global Manager status as "Not Available" or "Down" in the System > Configuration > Location Manager view.

  • The Standby Global Manager itself reports its own certificates as Valid and healthy (because they were recently manually replaced).

  • However, the Active Global Manager and Local Managers continue to display alarms for expired "Remote Site" certificates (specifically APH-AR or Appliance Proxy Hub) belonging to the Standby GM. Clicking on the number in "Used By" column, it shows UUIDs pointing to NSX Standby GM cluster nodes.

  • When attempting to edit the Standby Global Manager settings from the Active Global Manager UI (Location Manager > Edit Settings), the configuration fields for FQDN/IP, Username, and Thumbprint appear blank/empty, even though the cluster is listed.

  • Inter-site communication and policy replication between Active and Standby GMs are failing.

Cause

This issue occurs because the trust relationship (Async Replicator channel) between the Active and Standby Global Managers was not re-established after the certificate replacement.

The Appliance Proxy Hub (APH-AR) certificate is used to authenticate the federation channel (port 1236). When this certificate expires and is manually replaced on the Standby Global Manager:

  1. The Standby GM now possesses a new valid certificate.

  2. The Active GM still holds the old, expired certificate for the Standby GM in its trust store.

  3. Because the certificates no longer match, the Active GM rejects the connection from the Standby GM.

  4. Consequently, the Active GM marks the remote site as "Invalid" or "Unreachable" and eventually clears the stored credentials (FQDN, Username, Thumbprint) from its configuration UI to prevent using stale authentication data.

The user must manually re-authenticate the Standby GM on the Active GM to complete the trust update and propagate the new public key.

Resolution

To resolve this issue, you must manually re-onboard the Standby Global Manager connection on the Active Global Manager. This forces the Active GM to authenticate with the Standby GM and pull the new APH-AR certificate.

Prerequisites

  • Ensure you have the VIP FQDN (or IP) of the Standby Global Manager.

  • Ensure you have the Admin credentials for the Standby Global Manager.

  • +(Optional) Obtain the API Thumbprint of the Standby Global Manager (System > Appliances > Local Manager).

Procedure

  1. Log in to the Active Global Manager web interface.

  2. Navigate to System > Configuration > Location Manager.

  3. Locate the Standby Global Manager cluster (which is reporting "Not Available").

  4. Select the cluster and click Edit Settings.

  5. If the fields are blank, manually re-enter the following:

    • Remote Site IP/FQDN: Enter the VIP of the Standby Global Manager.

    • Username: admin (or your superuser account).

    • Password: The current password for the Standby GM.

    • Thumbprint: Paste the SHA-256 thumbprint of the Standby GM.

  6. Click Save or Check Connection.

    • The system will validate credentials and re-establish the Federation tunnel (Port 1236) using the new certificate.

  7. Once the connection is successful, the status may momentarily show "Syncing" or "Unknown." Refresh the browser window.

  8. Login to Standby Global Manager web interface.

  9. Navigate to System > Configuration > Location Manager.

  10. Select the Standby Global Manager again in the list.

  11. Click the Force Sync button (this option usually appears only after a successful reconnection).

Validation

After performing the steps above:

  1. Verify that the Standby Global Manager status changes to Green / Active in the Location Manager.

  2. Navigate to the Dashboard to confirm that "Remote Site" certificate expiration alarms have cleared on the Active Global Manager and Local Managers.

  3. Run the following API command on the Active GM to verify replication status: GET https://<Active-GM-IP>/api/v1/global-manager/status

    • Look for "replication_status": "ACTIVE" or "SUCCESS".

Powered by Wolken Software