VirtualService or AVI controller cluster VIP Down — Azure Cloud Connector Client Secret Expired
search cancel

VirtualService or AVI controller cluster VIP Down — Azure Cloud Connector Client Secret Expired

book

Article ID: 433608

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

Case 1: Virtual Service Down with AdalError: Get Token request returned http error: 401 and server response

reason: AdalError: Get Token request returned http error: 401 and server response:
{"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys for app '####' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. 
"error_uri":"https://login.microsoftonline.com/error?code=7000222"}

Case 2: The AVI controller cluster VIP show Red (Down).

You will see the below error in the /var/lib/avi/log/cluster_config.log

Environment

Azure Cloud
Azure Cloud Connector User Authentication using with Application ID based

Cause

For Case 1:

The Azure AD App Registration (ID: ####) used by the Avi Load Balancer's Azure Cloud Connector has an expired client secret. This causes ADAL token requests to fail with Error Code : AADSTS7000222, taking the virtual service <name> (VIP <IP>) down.

 

For Case 2:

You will see the below error under the /var/lib/avi/log/cluster_config.log

[2026-04-13 05:46:25,151] INFO [maintenance.manage_vip_operations:342] Got cluster config. cvip: ##.##.##.##. cvip6: None
[2026-04-13 05:46:25,161] INFO [cluster_utils.check_if_configure_cluster_vip6_needed:1075] Configured cvip6: None. New cvip6: None
[2026-04-13 05:46:25,336] ERROR [azure_cluster_vip.manage_azure_cluster_vip:159] ^[[31mFailed to load azure credentials: Traceback (most recent call last):

oauthlib.oauth2.rfc6749.errors.InvalidClientError: (invalid_client) AADSTS7000222: The provided client secret keys for app '######-####-####-####-########' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. Trace ID: ########-####-####-####-######## Correlation ID: ######-####-####-####-######## Timestamp: 2026-04-13 05:46:25Z

Resolution

Rotate the Secret in Azure Portal

  1. Go to Azure Portal → Azure Active Directory → App Registrations
  2. Search by App ID
  3. Navigate to Certificates & Secrets → Client Secrets
  4. Delete the expired secret
  5. Click + New client secret — set an appropriate expiry and add a description
  6. Copy the new secret value immediately — it is only displayed once

Now Update the Avi Controller Azure CloudConnector User

  1. Go to Avi Controller → Administrator → User Credentials
  2. Locate the Azure Cloud Connector User credential
  3. Click Edit and paste in the new client secret (Authentication Token)
  4. Click Save

Verify Recovery

  1. Monitor the VirtualService status — it should transition from VIP_DOWN back to UP once the new secret is authenticated successfully
  2. Check the Event under Operation > Event > All Event
Powered by Wolken Software