HCX Transport Analytics fails with "A firewall is preventing the ICMP traffic" after HCX Manager IP change
search cancel

HCX Transport Analytics fails with "A firewall is preventing the ICMP traffic" after HCX Manager IP change

book

Article ID: 441912

calendar_today

Updated On:

Products

VMware HCX

Issue/Introduction

  • HCX Transport Analytics or Transport Monitor displays the error:
    No uplink metrics data is available for the selected uplink for the given duration. This can be caused by the following:
    . Service mesh tunnels are down.
    . Source environment is behind a NAT.
    . A firewall is preventing the ICMP traffic.
  • The error persists even when firewall rules are confirmed to allow ICMP traffic.
  • The issue typically occurs after a "Re-IP" (IP address change) of the HCX Manager or Connector.

Environment

VMware HCX

Cause

Modifying the HCX Manager IP address, the self-signed certificate does not automatically update. The Subject Alternative Name (SAN) continues to point to the old IP address, causing failures in workflows. 

Resolution


Note: These steps require a maintenance window as they involve appliance redeployment and downtime.

  1. Backup: Perform a full backup of the HCX Manager configuration before making any changes. 

  2. Run Remediation Script: 

    1. Copy the attached replaceSelfSignedCert.zip to the HCX

    2. Unzip the replaceSelfSignedCert.zip

       unzip replaceSelfSignedCert.zip
      Archive:  replaceSelfSignedCert.zip
        inflating: cert_req.cnf.template
        inflating: replaceSelfSignedCert.sh

    3. Run the script. 

      ./replaceSelfSignedCert.sh
      Generating self-signed certificate
      Path:
      /usr/pgsql/13/bin:/opt/vmware/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/bin:/usr/sbin/:/bin:/sbin
      After Application Service restart is complete, redeployment of HCX-WAN-IX appliance is required for changes to take effect

  3. Redeploy Fleet Appliances: Redeploy the HCX Interconnect and WAN Optimization appliances to ensure they recognize the updated management certificates. This step will result in temporary downtime for active migrations or network extensions. 

  4. Verification: Confirm that Transport Analytics is functional and the ICMP error is no longer present. 

Additional Information

Considerations for Re-IPing HCX Manager
SSH service fails to start after HCX manager IP change

Attachments

replaceSelfSignedCert.zip get_app
Powered by Wolken Software