SSP Deployment fails and SSPI UI becomes inaccessible.

search cancel

book

calendar_today

VMware vDefend Firewall

SSP deployment becomes stuck during the workload cluster deployment stage.
The SSPI appliance UI becomes inaccessible and pings to the SSPI IP start failing or become intermittent.
Pre-check VMs may intermittently fail or time out.
Connectivity to the first Control Plane (CP) node may be successful from external subnets, but ping from SSPI to the node pool gateway or CP nodes shows significant packet loss.
SSPI becomes accessible again, once the failed CP node is deleted.

SSP 5.1.1

This issue is caused by an IP address conflict between the SSPI appliance/Node IP pool/Service IP pool and the network gateway or firewall or any other appliance in the environment.
This caused ARP responses for the SSPI IP to point to the MAC address of the gateway instead of the SSPI VM interface, leading to misrouted traffic and packet loss during the deployment phase when multiple nodes begin communicating on the subnet.

Verify IP Conflict:
- Log into a test VM or another node in the same subnet.
- Ping the SSPI IP and then check the ARP table (arp -a).
- Compare the MAC address listed for the SSPI IP against the actual MAC address of the SSPI VM's eth0 interface in vCenter.
- If the MAC addresses do not match, or if it matches the MAC of your gateway firewall or other appliance, an IP conflict is confirmed.
Identify Unique IP Range:
- Coordinate with the Network team to identify a non-conflicting IP for the SSPI appliance.
- Define a unique, reserved IP range for the Node IP Pool and Service IP Pool that does not overlap with any gateway, firewall, or existing static assignments.
Redeploy:
- Remove the existing SSPI appliance.
- Perform a full cleanup of any orphaned deployment components in vCenter.
- Update DNS entries with the new non-conflicting IP address.
- Deploy a new SSPI appliance and initiate the SSP deployment using the updated configuration.

thumb_up Yes

thumb_down No