• Segments created within the NSX Manager do not appear as port groups on the vSphere Distributed Switches (VDS) within vCenter.
• Compute manager connection is showing up on NSX manager.
• Re-authentication of the compute manager fails with error code 90206 indicating a Certificate Revocation List (CRL) verification error.
• The API below returns a few flags in a JSON structure, one of which is "crl_checking_enabled": "true".
  

  GET https://<NSX Manager>/policy/api/v1/infra/security-global-config
  
  JSON response: 
  {
      "crl_checking_enabled": true,
      "ca_signed_only": false,
      "eku_checking_enabled": true,
      "id": "#########-####-####-####-###########",
      "_create_time": 1679339007871,
      "_create_user": "system",
      "_last_modified_time": 1679339007871,
      "_last_modified_user": "system", "_protection": "NOT_PROTECTED",
      "_revision": 0
  }

VMware NSX

• Strict CRL checking is enabled within the global security configuration preventing successful communication with the vCenter server.
• Incompatibility between the provided certificate chain and the CRL distribution point leads to a synchronization failure between NSX and vCenter.

Resolution:

• Ensure that NSX is able to authenticate the Vcenter with CRL check enabled.
• Refer to KB 440020 for detailed resolution.

Workaround:

• Disabling the CRL check allows the compute manager to re-authenticate successfully and restores segment visibility.
• Execute a GET request to `https://<NSX-Manager>/policy/api/v1/infra/security-global-config` to retrieve the current security .
• Perform a PUT request to the same endpoint with the payload `{"crl_checking_enabled": false}` to deactivate the global CRL verification.
•  Refer to KB 396503 for detailed API instructions.