This failure typically occurs when a stale certificate is associated with a Load Balancer Virtual Server. During the migration/promotion process, the system validates all referenced objects; if a certificate is stale, the promotion of the Virtual Server (and its parent Load Balancer) cannot proceed from Manager to Policy.

Specifically, the issue is often found within the Client-Side or Server-Side SSL profiles attached to the Virtual Server.

Below is a screenshot of the stale certificate.

To resume the promotion, you must identify and remove the stale certificate reference from the affected Virtual Server(s).

Step 1: Locate the Affected Virtual Server

1. Log in to the NSX Manager UI.

2. Navigate to Manager Mode (switch from Policy mode if necessary).

3. Go to Networking > Load Balancing > Virtual Servers.

4. Identify the Virtual Server mentioned in the error log or those currently using SSL profiles.

Step 2: Clear Stale Certificates from SSL Profiles

For each identified Virtual Server, perform the following:

1. Click on the LB Profiles tab within the Virtual Server configuration.

2. Check Client-Side SSL:

   • If Client Side SSL is enabled, click Edit.

   • Locate the Default Certificate field.

   • If the certificate is identified as stale or invalid, remove the entry or replace it with a valid certificate.

   • Save the changes.
     

3. Check Server-Side SSL:

   • If Server Side SSL is enabled, click Edit.

   • Locate the Default Certificate field.

   • If the stale certificate is present, remove the entry.

   • Save the changes.

4. Restart the migration process.