Error during deployment of Gigamon vSeries node on NSXT using Service Deployment
search cancel

Error during deployment of Gigamon vSeries node on NSXT using Service Deployment

book

Article ID: 439377

calendar_today

Updated On:

Products

VMware NSX VMware vCenter Server

Issue/Introduction

Unable to deploy Gigamon vSeries node on NSXT and observed error as shown below 

From syslog of NSX manager, 

YYYY-MM-DDTHH:MM:SS.771Z <NSXManager Hostname> NSX 5254 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP40429" level="ERROR" reqId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" subcomp="manager" username="Gigamon"] Error creating Agency in EAM for CM xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  
YYYY-MM-DDTHH:MM:SS.776Z <NSXManager Hostname> NSX 5254 FABRIC [nsx@6876 comp="nsx-manager" level="INFO" reqId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" subcomp="manager" username="Gigamon"] Updating existing deployment Unit:DeploymentUnit [id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, fabricModuleId=FabricModule/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx, fabricModuleVersion=6.13.00, computeResourceType=COMPUTE_COLLECTION, computeResourceId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:domain-cxxx, agencyId=null, goalState=ENABLED, isVlcmFlow=false, errors=null] to new deploymentUnit: DeploymentUnit [id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx, fabricModuleId=FabricModule/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx, fabricModuleVersion=6.13.00, computeResourceType=COMPUTE_COLLECTION, computeResourceId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx:domain-cxxx, agencyId=null, goalState=ENABLED, isVlcmFlow=false, errors={26134=Error creating agency for deployment unit xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx. Error while creating agency: "com.vmware.eam.security.trust.NotTrusted: Suitable trust, not found!" Please follow KB 93130. Delete this deployment and create another one.}]

From eam.log of vcenter where vSeries nodes will be deployed below error is observed while downloading vseries node OVF from Gigamon Fabric Manager

YYYY-MM-DDTHH:MM:SS.648Z |  INFO | vlsi | URLConnectionSpecFactory.java | 88 | Created URLConnectionSpec(urlLocation:https://<GigamonFabricManagerIP>/api/v1.3/cloud/vmware/nsxt/images/ovf/<vseries-version>/vseries-node-file4.ovf, certificateVerification:true, certificateConfigured:false, headers: {} using default system VECS/system CAs trust
YYYY-MM-DDTHH:MM:SS.680Z | ERROR | vlsi | LegacyAgencyBase.java | 1154 | Agent OVF URL is not trusted.
com.vmware.eam.security.trust.NotTrusted: Suitable trust, not found!

 

Environment

NSX 4.x

vCenter 8.0.3 

Cause

The EAM service maintains its own "Trusted Certificates" store. When a new VM needs to be deployed on ESXi, NSX provides a URL to download OVF to EAM (e.g., https://<GigamonFabricManager>/repo/...). If the certificate presented by that URL is not in EAM's trust store, or if the vCenter extension certificate has changed and EAM hasn't updated its local cache, the handshake is rejected.

Resolution

The certificate of Gigamon Fabric Manager needs to be installed on vcenter by following above procedure to download ovf from FM.

  1. Install certificate from Gigamon Fabric Manager using below command on vcenter CLI 
    • python /usr/lib/vmware-eam/bin/eam-utility.py install-cert https://GigamonFabricManager/api/v1.3/cloud/vmware/nsxt/images/ovf/<vseries-version>/vseries-node-file4.ovf
  2. Restart eam-service using command
    • service-control --restart vmware-eam

Note : The URL required for install-cert could be obtained by searching for "Agent OVF URL is not trusted" from eam.log on vcenter.

Powered by Wolken Software