Service Mesh creation fails during trunk portgroup creation due to missing priviliges on vCenter
search cancel

Service Mesh creation fails during trunk portgroup creation due to missing priviliges on vCenter

book

Article ID: 440404

calendar_today

Updated On:

Products

VMware HCX

Issue/Introduction

VCF Operation HCX 9.1 introduces creation of service accounts and HCX specific roles in vCenter and NSX when deploying HCX Manager via installer on VCF Operations. These service accounts are then used by HCX Manager to communicate with vCenter and NSX. 

In vCenter Server the role 'HCX To vCenter Service Account Role' is created with a set of privileges which is assigned to the service account created as part of deployment.
These privileges allow user-triggered HCX operations to be performed on vCenter.

In VCF Operations HCX 9.1, Service Mesh deployment fails with below error in the following case:
1. During HCX Interconnect Service Mesh creation if the switch pair chosen has VMware Distributed Virtual Switch chosen on either one or both sites
2. Network Extension mode for appliances is chosen as 'Multiple Extensions per vNIC' (trunk bridge mode) 

Error:

Service Mesh modification failed. Process Service Mesh failed. Interconnect Service Workflow ConfigureNetExtEdge failed. Error: Configuration update failed for appliance ###appliance name###. Reason: Network Extension workflow PrepareApplianceForNetworkExtension failed. Error: Operation timedout in state PREPARE_APPLIANCE_NETWORKS, Configuration update failed for appliance ###appliance name###. Reason: Network Extension workflow PrepareApplianceForNetworkExtension failed. Error: Failed to create trunk DVPG. Error: Permission to perform this operation was denied.

Environment

VCF 9.1
VMware HCX 9.1

Cause

This issue will occur due to insufficient privileges in 'HCX To vCenter Service Account Role' created in vCenter as part of HCX Manager deployment using VCF installer, Specifically, DVPortgroup.Create and DVPortgroup.Delete privileges. 

Specifically:
DVPortgroup.Create - Allows creation of trunk portgroup by HCX manager during Service Mesh creation
DVPortgroup.Delete - Allows deletion of trunk portgroup by HCX Manager during Service Mesh deletion

Resolution

To remediate the issue add missing privileges to 'HCX To vCenter Service Account Role' created in vCenter as part of HCX Manager deployment using VCF installer
Specifically, 'DVPortgroup.Create' and 'DVPortgroup.Delete' privileges using PowerCLI or vCenter UI.

  • Using PowerCLI:
    • Connect-VIServer <vcenter-ip> -User <sso-username> -Password <password>
    • Set-VIRole -Role "HCX To vCenter Service Account Role" -AddPrivilege (Get-VIPrivilege -Id "DVPortgroup.Create", "DVPortgroup.Delete")

  • Using vCenter UI:
    1) Login to vCenter as Administrator 
    2) Navigate to Administration > Roles
    3) Invoke Edit action on the role 'HCX To vCenter Service Account Role'
    4) On Edit Role wizard Scroll down to 'dvPort group' and select 'Create' and 'Delete' privileges
    5) Click 'Save'
    6) Retry Service Mesh creation on HCX Manager

Additional Information

Issue will be fixed in upcoming releases

Powered by Wolken Software