T1 Gateway fails to create for a new VKS Namespace using Override Supervisor Network Settings with a stateful Active/Active Tier0 gateway in VMware NSX
search cancel

T1 Gateway fails to create for a new VKS Namespace using Override Supervisor Network Settings with a stateful Active/Active Tier0 gateway in VMware NSX

book

Article ID: 433923

calendar_today

Updated On:

Products

VMware NSX VMware vSphere Kubernetes Service

Issue/Introduction

  • A Tier0 gateway is configured as stateful in Active/Active mode.
  • A separate edge cluster is configured for Tier1 gateways.
  • Using the Override Supervisor Network Settings when creating a new VKS namespace fails to create the T1 gateway.
  • Without using Override Supervisor Network Settings, namespaces create successfully. 
  • In the NSX Manager log file, /var/log/proton/nsxapi.log, similar entries may be seen 

2026-03-10T10:07:49.970Z ERROR http-nio-127.0.0.1-7440-exec-3 ConnectivityValidationUtils 6070 POLICY [nsx@6876 comp="nsx-manager" errorCode="PM503621" level="ERROR" reqId="########-####-####-####-###########" subcomp="manager" username="wcp-cluster-user-##########-####-####-####-########-####-####-####-###########"] Tier1 /infra/tier-1s/t1_########-####-####-####-###########_rtr Active-Standby must span to different edge cluster than connected Tier0 AA stateful /infra/tier-0s/<t0-gateway-name>. 

2026-03-10T10:07:49.970Z  WARN http-nio-127.0.0.1-7440-exec-3 PolicyResourceChangeNotificationManager 6070 POLICY [nsx@6876 comp="nsx-manager" level="WARNING" reqId="########-####-####-####-###########" subcomp="manager" username="wcp-cluster-user-##########-####-####-####-########-####-####-####-###########"] Failure received invoking listener GatewayAndRelatedResourceValidator for change CREATED on resource /infra/tier-1s/t1_########-####-####-####-###########_rtr/locale-services/t1_########-####-####-####-###########_rtr-0
com.vmware.nsx.management.policy.connectivity.common.exceptions.ConnectivityIntentException: null at com.vmware.nsx.management.policy.connectivity.service.ConnectivityValidationUtils.validateTier0AndTier1EdgeCluster(ConnectivityValidationUtils.java:1827) ~[?:?] at com.vmware.nsx.management.policy.connectivity.validator.GatewayAndRelatedResourceValidator.validateTier1LocaleService(GatewayAndRelatedResourceValidator.java:198) ~[?:?] at com.vmware.nsx.management.policy.policyframework.validators.BaseValidator.handleResourceChange(BaseValidator.java:50) ~[?:?]

Environment

VMware NSX

VMware vSphere Kubernetes Service

Cause

The NSX Container Plugin (NCP) logic inherits the Edge Cluster associated with the Tier-0 when the Override feature is utilized. Because NSX policy prohibits Active-Standby Tier-1s from residing on the same cluster as a stateful Active-Active Tier-0, the validation fails. The vCenter UI currently lacks a field to manually specify a different Tier-1 Edge Cluster during the override process.

Resolution

This is a known issue impacting VMware NSX.

Workaround:

Create the namespace from the vCenter dcli shell using the standard parameters for the Override Supervisor Network Settings, but without specifying the Tier-0:

dcli com vmware vcenter namespaces instances create \
--cluster <CLUSTER_ID> \
--namespace <NAMESPACE_NAME> \
--namespace-network-network-provider NSXT_CONTAINER_PLUGIN \
--namespace-network-network-routed-mode false \
--namespace-network-network-load-balancer-size SMALL \
--namespace-network-network-ingress-cidrs '[{"address": "<START_IP>", "prefix": <CIDR>}]' \
--namespace-network-network-egress-cidrs '[{"address": "<START_IP>", "prefix": <CIDR>}]' \
--namespace-network-network-subnet-prefix-length <LENGTH> \
--namespace-network-network-namespace-network-cidrs '[{"address": "<START_IP>", "prefix": <CIDR>}]'

For the list of parameters use the command: dcli com vmware vcenter namespaces instances create --help

 

Powered by Wolken Software