Cleanup License Hub details from endpoints (i.e. NSX, SSP & AVI) when they are forcefully offboarded from the License Hub.
search cancel

Cleanup License Hub details from endpoints (i.e. NSX, SSP & AVI) when they are forcefully offboarded from the License Hub.

book

Article ID: 437477

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention VMware Avi Load Balancer

Issue/Introduction

When an endpoint retains references to a License Hub instance to which it is no longer connected, it is necessary to clean up the License Hub data from Endpoint.

This situation typically occurs if:

  1. The original License Hub is no longer functioning properly or is decommissioned.
  2. The endpoint was forcefully offboarded while it was unresponsive.

Failure to perform this cleanup may cause complications when onboarding the endpoint to a new License Hub instance. Additionally, the endpoint may continue attempting to send data to the old / unresponsive License Hub instance.

Environment

License Hub 5.1.2

Cause

The endpoints are configured to send data to the License Hub instance to which they are onboarded. An endpoint cannot be onboarded to a new instance until it is disconnected from its current configuration.

If the previous License Hub is not removed, the endpoints will continue attempting to send data to the decommissioned instance and will be unable to connect to a new License Hub.

Resolution

For NSX Endpoints:

site-offboarding-cleanup-512.sh

(1) Execute the attached script from any linux system that has access to NSX Manager directly. 

(2) Copy the attached bash script "site-offboarding-cleanup-512.sh" to SSP-I or from any Linux system that has access to the NSX Manager and run it.

Example usage:
./site-offboarding-cleanup-512.sh [-h|--host <mgr_host_ip>] [-u|--username <username>] [-p|--password <password>]
./site-offboarding-cleanup-512.sh -h <nsx-manager-ip> -u admin -p <nsx-manager-password> -t license

(3) After copying site-offboarding-cleanup-512.sh, provide permission:

chmod +x site-offboarding-cleanup-512.sh

(4) Provide NSX manager details, for example:

./site-offboarding-cleanup-512.sh -h nsx_manager_ip -u admin -p nsx_manager_admin_password

(5) After successful cleanup, we should see something like this:

./site-offboarding-cleanup-512.sh -h x.x.x.x -u admin -p *******

 

Response of script:
Verifying connection...

Cleaning up Appliance Info Object...

cluster_id of appliance info object: d449f8f1-ff47-4cd1-9437-64892a25d2d0

appliance info object deleted successfully

Cleaning up Site Name...

Site name unbound successfully

Cleaning up principal identities...

deleted principal identity successfully: ssp_platform_egress_LICENSE_d449f8f1-ff47-4cd1-9437-64892a25d2d0

removing certificate for pi ssp_platform_egress_LICENSE_d449f8f1-ff47-4cd1-9437-64892a25d2d0

deleted certificate successfully: 1c3cb982-0599-4e5f-9ce7-30c081d7c40d

deleted principal identity successfully: ssp_platform_egress_mutable_LICENSE_d449f8f1-ff47-4cd1-9437-64892a25d2d0

removing certificate for pi ssp_platform_egress_mutable_LICENSE_d449f8f1-ff47-4cd1-9437-64892a25d2d0

deleted certificate successfully: b0028d36-4e9e-436d-b9ed-b23dec858251

deleted principal identity successfully: ssp_platform_kafka_LICENSE_d449f8f1-ff47-4cd1-9437-64892a25d2d0

removing certificate for pi ssp_platform_kafka_LICENSE_d449f8f1-ff47-4cd1-9437-64892a25d2d0

deleted certificate successfully: 9bf05328-603e-4ebd-933c-972510a08b4f

deleted principal identity successfully: ssp_platform_ingress_LICENSE_d449f8f1-ff47-4cd1-9437-64892a25d2d0

removing certificate for pi ssp_platform_ingress_LICENSE_d449f8f1-ff47-4cd1-9437-64892a25d2d0

deleted certificate successfully: e7d8641b-5890-4568-91a5-21bfde46459b

NSX Site cleanup complete.
 

To confirm successful cleanup, the user can validate the GET API response before and after executing the cleanup script. 

GET https://{{nsx-endpoint}}/api/v1/infra/ssp/registration/ -- Should show empty.

 

For Avi Endpoints:

avi_cleanup.sh

1. Login to SSPI CLI with sysadmin user

2. Copy/Download the attached script - avi_cleanup.py

3. Perform dry-run and then execute using following command

python3 avi_side_cleanup.py --ip <AVI_CONTROLLER_IP>
                              --username <AVI_USERNAME>
                              --password <AVI_PASSWORD>
                              --feature <SSP_FEATURE_TYPE>
                              --dry-run (optional) 
 

For SSP Endpoints:

ssp_cleanup.sh

1. Login to SSPI CLI with sysadmin user

2. Copy/Download the attached script - ssp_cleanup.py

3. Perform dry-run and then execute using following command

python3 ssp_cleanup.py --fqdn atpssp.example.com --username admin --password password --form-factor Licensing --dry-run (Optional)

 

 

Attachments

ssp_cleanup.sh get_app
site-offboarding-cleanup-512.sh get_app
avi_cleanup.sh get_app
Powered by Wolken Software