In a VMware Cloud Foundation (VCF) environment, the connection between the NSX Manager and vCenter Server (registered as a Compute Manager) exhibits a Connection Status: Down or Disconnected state.

Diagnostic observations indicate the following:

• Credential Mismatch: The specialized service account svc-sddc-manager-<hostname>-nsx-vip-<hostname>-<uid>, which facilitates the integration between SDDC Manager and NSX, was modified by an external third-party password management system.

• Integration Failure: Within the NSX Manager UI, the service account used for the vCenter connection (svc-nsx-manager-<hostname>-<vcenter-hostname>@vsphere.local) displays no status or appears as --.

• Management Blockage: Because the credentials on the NSX appliance no longer align with the secure vault in SDDC Manager, the automated password rotation tasks within SDDC Manager are unable to authenticate, preventing automated rotation of password svc-nsx-manager-<hostname>-<vcenter-hostname>@vsphere.local.

This discrepancy breaks the management plane communication required for SDDC Manager to oversee NSX-vCenter operations.

VMware Cloud Foundation 9.0.2

SDDC Manager uses the service account svc-sddc-manager-<hostname>-nsx-vip-<hostname>-<uid> to authenticate with NSX Manager. This account is automatically rotated by SDDC Manager every 30 days.

This service account svc-nsx-manager-<hostname>-<vcenter-hostname>@vsphere.local is specifically utilized for the integration and connectivity between NSX and vCenter Server. By design, SDDC Manager does not persist the password for this account locally, which is why the password field typically displays as -- in the UI.

The issue occurs because the svc-sddc-manager-<hostname>-nsx-vip-<hostname>-<uid> credentials were modified on the NSX Manager by third-party software. Consequently, SDDC Manager is unable to log into NSX Manager, preventing svc-nsx-manager-<hostname>-<vcenter-hostname>@vsphere.local from updating or managing the service account configuration.

For further details, please refer to document:
Account Management Design

Step 1: Synchronize Credentials on NSX Manager

1. Log in to the NSX Manager appliance via SSH using root credentials.

2. Stop the NSX Management Plane API service:

   /etc/init.d/nsx-mp-api-server stop

3. Clear the password history to allow reuse of the previous password if necessary:

   echo "" > /etc/security/opasswd

4. Reset the service account password to match the entry currently stored in the SDDC Manager database. (Refer to internal documentation to retrieve the current plaintext password from the commons.platform_credential table).

   passwd svc-sddc-manager-<hostname>-nsx-vip-<hostname>-<uid>

5. Create the marker file to trigger a cluster-wide credential reset:

   touch /var/vmware/nsx/reset_cluster_credentials

6. Start the NSX Management Plane API service:

   /etc/init.d/nsx-mp-api-server start

Step 2: Remediate and Rotate in SDDC Manager

1. Log in to the SDDC Manager UI.

2. Navigate to Administration > Password Management.

3. Locate the service account svc-sddc-manager-<hostname>-nsx-vip-<hostname>-<uid>.

4. Perform a Remediate action using the password manually set in Step 1.4 to re-establish the trust relationship.

5. Once the remediation task completes successfully, perform a Rotate action on account svc-nsx-manager-<hostname>-<vcenter-hostname>@vsphere.local to ensure the credentials are managed solely by SDDC Manager and align with the security policy.

6. Verify that the Compute Manager status in NSX Manager returns to Up.