SSP Infrastructure Sync status is DOWN, Inventory Sync status is Unknown and site status shows for NSX as Not Ready

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall

Issue/Introduction

NSX is in a Not Ready state if the infrastructure sync is DOWN and Inventory Sync is Unknown.

Possible Scenarios

This issue has been observed in the following scenarios:

Brownfield case: Upgrade of NSX 9.0.1 to 9.0.2 which is already onboarded to SSP.
Brownfield case: Upgrade of NSX 4.2.1 to 4.2.3 which is already onboarded to SSP.
Greenfield case: Onboarding of an affected NSX version to SSP 5.1.0/5.1.1.

Symptoms

Example 1

After logging into the SSPI installer and describing the site, you can see COMMON_INIT_COMPLETE failed:

k describe site -n nsxi-platform

Output:

status:
  conditions:
  - lastTransitionTime: "2026-02-09T21:11:57Z"
    message: COMMON_INIT_COMPLETE failed
    reason: AgentInitNotReady
    status: "False"
    type: CommonAgentReady

Example 2

After logging into the SSPI installer and describing the site, you can see COMMON_FULLSYNC failed:

- lastTransitionTime: "2026-05-27T17:20:08Z"
  message: 'COMMON_FULLSYNC failed due to: java.lang.Exception: produceCertMsgs'
  reason: FullSyncNotReady
  status: "False"
  type: CommonAgentReady
currentState: NotReady
message: OnboardingInProgress

NSX Manager UI Verification

Path: System > Certificates
Symptom: When filtering for "NAPP", the certificates NAPP_COMMON_AGENT, NAPP_METRICS_AGENT, and NAPP_PACE_AGENT show a count of 0 under the Used By column.

Environment

vDefend Security Services Platform(SSP) version: 5.1.0, 5.1.1

NSX versions where this is known issue: 4.2.0, 4.2.1.1, 4.2.1.2, 4.2.2 , 4.2.3, 9.0.0, 9.0.1, 9.0.2

Cause

A "race condition" occurred between the Common Agent and the Trust Management service. While the system correctly identified that a certificate was needed (Marker = True), the specific internal service responsible for generating that certificate was in the middle of a "leadership election." Because this service only acts on requests when it is the confirmed leader, the request to create the certificate was dropped and never retried.

Logs

SSP Site-Service Logs: (`k -n nsxi-platform logs <site-service-pod>`)

2026-03-11T14:58:00.758Z INFO reconcileNsxData patch {"request": {"name":"<UUID>","namespace":"nsxi-platform"}, "reconcileID": "<UUID>", "changed": true, "newSite": {"currentState":"NotReady","message":"OnboardingInProgress","nsxInfo":{"serviceNameRef":"nsx-<UUID>","version":"9.0.2.0.25150386","clusterStatus":"Degraded","nsxClusterID":"<UUID>","formFactor":"Medium"},"conditions":[{"type":"CertificatesInSync","status":"True","lastTransitionTime":"2026-03-10T16:26:02Z","reason":"CertificatesInSync","message":""},{"type":"ConnectionEstablished","status":"True","lastTransitionTime":"2026-03-10T16:26:02Z","reason":"ConnectionEstablished","message":""},{"type":"SiteConditionConfiguredPlatformDeploymentConfig","status":"False","lastTransitionTime":"2026-01-02T16:23:48Z","reason":"NotRequired","message":""},{"type":"CreatedNsxSspApplianceInfo","status":"True","lastTransitionTime":"2026-01-02T16:24:48Z","reason":"Created","message":""},{"type":"NsxStreamingReady","status":"True","lastTransitionTime":"2026-01-02T16:26:12Z","reason":"NsxConfigTOIUpdated","message":""},{"type":"CommonAgentReady","status":"False","lastTransitionTime":"2026-02-09T21:11:57Z","reason":"CommonAgentCertProfileNotReady","message":"COMMON_CERT_PROFILE_READY failed"},{"type":"PaceAgentReady","status":"True","lastTransitionTime":"2026-02-09T17:03:14Z","reason":"Ready","message":""},{"type":"IdsEnabled","status":"True","lastTransitionTime":"2026-01-30T10:32:14Z","reason":"IdsIsEnabled","message":""}]}}
2026-03-11T14:58:11.743Z ERROR Reconciler error {"request": {"name":"<UUID>","namespace":"nsxi-platform"}, "reconcileID": "<UUID>", "error": "subreconciler reconcileNappApplianceInfo failed: failed to filter agent status: agent AGENT_TYPE_COMMON is not enabled"}

Example 1: NSX Manager Logs (`/var/log/proton/nsxapi.log`)

2026-03-11T14:58:06.595Z ERROR kafka-producer-network-thread | producer-533 NetworkClient 6021 [Producer clientId=producer-533] Connection to node -1 (/<IP_ADDRESS>:9092) failed authentication due to: SSL handshake failed
2026-03-11T15:01:39.624Z ERROR GMLE-Leadership-Executor CommonAgentServiceImpl 6021 NAPP [nsx@4413 comp="nsx-manager" errorCode="MP1" level="ERROR" s2comp="CommonAgent" subcomp="manager"] Certificates are not ready
2026-03-11T15:01:39.635Z INFO GMLE-Leadership-Executor StatusTrackingServiceImpl 6021 INTELLIGENCE [nsx@4413 comp="nsx-manager" level="INFO" subcomp="manager"] updateAction COMMON_INIT_COMPLETE state ERROR

Example 2: NSX Manager Logs (`/var/log/proton/nsxapi.log`)

The logs show repeated failures to send data to the platform and Kafka timeout errors:

WARN CommonAgentDeltaProcessor CommonAgentKafkaClient [nsx@6876 comp="nsx-manager" level="WARNING" s2comp="CommonAgent" subcomp="manager"] Failed to send data to K8S platform during attempt 3
java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.TimeoutException: Topic intelligence_platform not present in metadata after 60000 ms.
ERROR intelligence-message-processor IntelligenceNsxCommunicationServiceImpl [nsx@6876 comp="nsx-manager" errorCode="PM91905" level="ERROR" subcomp="manager"] Failed to send config message updates to NSX Intelligence.
WARN kafka-producer-network-thread | producer-60 NetworkClient [Producer clientId=producer-60] Co

Resolution

This resolution requires updating the Corfu database and restarting the proton service on the nodes currently holding leadership for both the CertificateShardingServiceImpl and the CommonAgent.

Because these steps involve manual modifications to the Corfu database, we strongly recommend contacting Broadcom Support via a support ticket to assist with the execution.

This issue is tracked internally via the reference #3670505.