ESXi host fails to prepare for NSX and is in state "Install Failed" at step "Waiting for connection to Managers".
Article ID: 433506
Updated On:
Products
VMware NSX
Issue/Introduction
- ESXi host fails to prepare for NSX and ends in state "Install Failed".
- If "Install Failed" is clicked, the Installation Progress is failed at "Waiting for connection to Managers".
- The APH-TN certificates are found to be expired.
Environment
VMware NSX
Cause
This issue is caused by the NSX Managers' APH_TN certificate being expired. The expired certificate causes the ESX hosts to fail to establish an SSL session to ports 1234 and 1235 during host preparation.
Resolution
Option 1 (Preferred)
- Use the CARR script to regenerate self-signed APH_TN certificates.
Option 2 (If CARR cannot be used)
- Generate a new Platform certificate in the NSX UI.
- Replace the certificate being used by the APH_TN service using the following API.
POST api/v1/trust-management/certificates/<certificate_id>?action=apply_certificate&service_type=APH_TN&node_id=<manager_node_id>
NOTE: In NSX 4.2 this step can typically be performed in the NSX UI. However, this is likely to fail due to NSX Manager UI certificate replacement fails with error 2190 "TRANSPORT_NODE_ONBOARDING_IN_PROGRESS, requiring this be performed via API instead. - Identify NSX Manager thumbprint, SSH as admin user to NSX Manager.
get certificate api thumbprint - Sync the new APH_TN certificate on the ESXi host transport node.
nsxcli -c sync-aph-certificates <Same Manager FQDN or IP as SSH'd to in step 3> username admin thumbprint <thumbprint from step 3> - If the Transport Node status still reflects an error, it is sometimes necessary to restart the nsx-proxy and nsx-opsagent on the Transport Node to restore this connection.
/etc/init.d/nsx-proxy restart/etc/init.d/nsx-opsagent restart
Feedback
Yes
No
Powered by
