License Server console displays a black screen during boot due to Docker network conflict in VCF 9.1
search cancel

License Server console displays a black screen during boot due to Docker network conflict in VCF 9.1

book

Article ID: 441526

calendar_today

Updated On:

Products

VCF Operations VMware Cloud Foundation VMware vSphere Foundation

Issue/Introduction

  • After deploying the VCF 9.1 License Server and booting it, only a black screen is deployed on the console.
  • The license server appliance is deployed in a network using the IP address range of 172.16.0.0/12 (any IP address from 172.16.0.1 to 172.31.255.254) or is deployed with a gateway that has a routable path of 172.17.0.0/16.
  • Registering VCF Operations in connected mode shows the error message "Your license servers are still pending registration. Refresh to update the status.
  • Registering VCF Operations in disconnected mode and importing a verification file, shows the error message "The verification file is invalid. Generate a new verification file in the VCF Business Services console and upload it here."

Environment

  • VMware Cloud Foundation 9.1
  • VMware vSphere Foundation 9.1

Cause

The license server appliance’s use of an internal Docker bridge network is not able to function when detecting a conflict with the 172.17.0.0/16 routable path from the gateway.

Resolution

This is a known issue with VVF / VCF 9.1.0 and is fixed in License Server 9.1.0.0200  Build 25499768. Refer to VCF Operations 9.1.0.0200 Release Notes for details.   See Download Broadcom products and software for steps to download this release.

If you have already deployed license server 9.1.0, you will need to deploy a new license server of version 9.1.0.0200 or higher to fix this issue.  Add and Register an Additional License Server.

Additional Information

To verify that your external DNS and default Gateway IPs do not overlap with your internal Docker bridge, you must compare the host's actual network subnets with Docker’s automatically assigned or custom bridge ranges. Overlaps can cause severe traffic drops or routing failures.

 Identify your Host Gateway and DNS configuration

  1. View local routing: Run ip route show on the host to determine the default gateway and the primary external interface subnet.
  2. Check DNS addresses: Review the upstream DNS resolver by executing cat /etc/resolv.conf on the host to find the active nameserver IPs.

 Inspect the Internal Docker bridge network

  1. View the default bridge: Run docker network inspect bridge (or docker network inspect bridge --format='{{json .IPAM.Config}}') to check the subnet and gateway assigned to Docker's default internal network.
  2. View all networks: Run docker network ls to list custom networks, and use docker network inspect [network_name] to verify their Subnet and Gateway configurations.
Verify that your host's external DNS and Gateway IPs do not fall inside the IP ranges returned in Step 2. Pay close attention to standard overlapping ranges that Docker automatically allocates (e.g., 172.17.0.0/16 through 172.31.0.0/16). 

Verify Routing/Egress with ICMP tests

  1. Enter a running container with docker exec -it [container_id] /bin/sh.
  2. Attempt to ping your external Gateway: ping [Gateway_IP].
  3. Attempt to ping your external DNS server: ping [DNS_IP].
  4. If a packet hits an overlapping interface on the internal Docker bridge, the ping request will fail to leave the container, or it will be dropped with a network unreachable error.