Deploying NSX Controller fails in NSX-v 6.3.3 and 6.3.4
Article ID: 344899
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- In NSX for vSphere 6.3.3 release, new NSX Controller deployment fails.
- You see errors similar to:
- In NSX-v 6.3.4 release, the new Controller deployment will succeed until January 1st, 2018 and any new Controller deployment will fail after that date.
- The existing NSX-v 6.3.3/6.3.4 release Controller deployment will see a prompt to change the password after login if 90 days have passed after a Controller deployment similar to:
- The VTEPs are UP, but it is being reported as Down.
Environment
VMware NSX for vSphere 6.3.x
Cause
The photon based Controllers has been set with a default 90 day password expiration (from release date) for the default user accounts (admin/root).
The Controller deployment for any green field deployments or redeployment of existing Controllers or upgrades to NSX 6.3.3 will fail as of Nov 2nd, 2017. However, for the existing NSX 6.3.3/6.3.4 deployments, the user (admin/root) accounts in the Controllers will expire after 90 days from the date it was deployed.
Notes:
The Controller deployment for any green field deployments or redeployment of existing Controllers or upgrades to NSX 6.3.3 will fail as of Nov 2nd, 2017. However, for the existing NSX 6.3.3/6.3.4 deployments, the user (admin/root) accounts in the Controllers will expire after 90 days from the date it was deployed.
Notes:
- NSX-v 6.3.4 will encounter the same issue starting on Jan 1st 2018.
- Since the communication between NSX Manager and Controllers are based on certificates, the user account expiration does not cause any communication impact between any component and does not cause any data path outage.
- The password expiration does not impact the HW component, but it does impact the status reporting as the NSX Manager cannot communicate with the NSX Controllers.
Resolution
The issue is resolved in the updated/reposted NSX for vSphere 6.3.3, 6.3.4 releases and newer versions of NSX for vSphere, available at VMware Downloads.
As a workaround for the existing NSX-v 6.3.3/6.3.4 deployments, and to avoid encountering this issue while upgrading to newer versions of NSX for vSphere, VMware developed a signed script that sets the password for user accounts on the Controller to never expire and if the password has already expired, it will reset the password to the one set by user during initial Controller deployment.
The workaround requires two signed scripts to be executed sequentially using REST API call to NSX Manager.
Download the attached signed_bsh_download_jar.encoded and signed_bsh_passwd_expiry_napi.encoded files.
Notes:
As a workaround for the existing NSX-v 6.3.3/6.3.4 deployments, and to avoid encountering this issue while upgrading to newer versions of NSX for vSphere, VMware developed a signed script that sets the password for user accounts on the Controller to never expire and if the password has already expired, it will reset the password to the one set by user during initial Controller deployment.
The workaround requires two signed scripts to be executed sequentially using REST API call to NSX Manager.
Download the attached signed_bsh_download_jar.encoded and signed_bsh_passwd_expiry_napi.encoded files.
Notes:
- The same scripts are also mentioned in the workaround section of KB article At times certain controller APIs could fail due to cleanup of API server reference files (2151719). Running the scripts applies the same workaround for both KB articles.
- While performing the below steps, the data path will not be impacted;
- Confirm IP connectivity from NSX Manager to all the NSX Controllers using the ping command. Proceed only after the IP connectivity is established.
- Method: POST
URL: https://NSXMGR_IP/api/1.0/services/debug/script
Authentication: Basic authentication (Username : admin)
Headers: content-type - application/xml
Body : copy contents of the attached file signed_bsh_download_jar.encoded.
Expected Response: 200
Note: During copy/paste of the contents into the body, ensure no extra line/characters get added at the end to run the API successfully. Proceed to step-3 only if the response is 200. File a support request with VMware support if the API call fails after multiple attempts. For more information, see How to file a Support Request in Customer Connect (2006985).
- Method: POST
URL: https://NSXMGR_IP/api/1.0/services/debug/script
Authentication: Basic authentication (Username : admin)
Headers: content-type - application/xml
Body : copy contents of the attached file signed_bsh_passwd_expiry_napi.encoded.
Expected Response: 200
Note: As a part of Step 3, the script will set a temporary password on the Controller, log in to the root shell and change the password for the user account back to the original password set during initial Controller deployment. If any or all of the Controllers are re-deployed, repeat the preceding steps again.
Additional Information
The table below describes the build numbers between the old NSX-v 6.3.3 / 6.3.4 and the new NSX-v 6.3.3 and 6.3.4, along with corresponding NSX Controller build numbers
简体中文:在 NSX-v 6.3.3 和 6.3.4 中部署 NSX Controller 失败
简体中文:在 NSX-v 6.3.3 和 6.3.4 中部署 NSX Controller 失败
Attachments
Feedback
Yes
No
Powered by
