NSX Alarm: NSX could not report the security usage to License Hub
search cancel

NSX Alarm: NSX could not report the security usage to License Hub

book

Article ID: 438230

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

An alarm indicates that NSX is unable to report security core usage data back to the License Hub.

Periodic usage reporting is mandatory for maintaining license compliance and ensuring the continuous availability of vDefend/Security features.

Alarm: Security Usage could not be reported to License Hub.

Environment

NSX >= v9.1.0.0

Cause

The NSX Manager cannot reach the License Hub’s reporting endpoint. This is often due to network-layer interruptions or the License Hub’s ingestion service being unavailable.

Example Error (from /var/log/proton/nsxapi.log): 

2026-03-06T20:00:05.696Z ERROR NSX 9786 [nsx@4413 comp="nsx-manager" errorCode="MP1" level="ERROR" logger="TaskHelper" msgID="SECURITY" subcomp="manager" threadName="task-scheduler-6"] Failed to execute action USAGE_REPORTING.\norg.springframework.web.client.HttpServerErrorException$ServiceUnavailable: 503 Service Unavailable on POST request for "https://xxxxxxxxxxxx/usage": "upstream connect error or disconnect/reset before headers. reset reason: connection timeout”\n
.
.
.
.
2026-03-06T20:00:05.696Z INFO NSX 9786 [nsx@4413 comp="nsx-manager" level="INFO" logger="EndpointAlarmServiceImpl" msgID="POLICY" subcomp="manager" threadName="task-scheduler-6"] Generating an alarm for usage reporting failure.

Resolution

To restore usage reporting, customers should perform a systematic validation of the communication path:

1. Validate License Hub Service Health

  • Log in to the License Hub UI.

  • Navigate to Platform and verify all service components are in a "Healthy" state.

  • Go to Endpoint Management and check the connectivity status for the NSX Manager.

2. Test the Reporting Path (NSX to License Hub)

  • Log in to the NSX Manager CLI via SSH and test if the specific "usage" endpoint is reachable over HTTPS (Port 443):

    curl -k -v -X POST https://<License-Hub-IP-FQDN>/usage

    • Note: You expect an authentication error or a specific API response, but a "Connection Timeout" or "503" confirms a network or load balancer failure.

3. Network & Firewall Verification

  • Ensure that firewalls or Security Groups allow outbound traffic from the NSX Manager to the License Hub on Port 443.

  • Verify that there are no SSL-intercepting proxies that might be dropping the POST request headers, as usage reporting requires a secure, uninterrupted header exchange.

Powered by Wolken Software