Solved: Re: Upgrade, redeploy the edge fails

ashsevenuk80 · ‎03-26-2019

Hi,

Im trying to upgrade a single stand alone edge from 6.2.5 to 6.4.4

hosts, nsx Manager, controllers even the vcsa and host are all up to date but the edge will not upgrade.

Tried moving it’s resources to another host. Disabled HA for the single edge.

I have noticed the edge has a different name in vCenter Inventor. I’ve tried to change the name in the inventory but when you go in to the edge it states the old name

let me know if you’ve come a cross this issue before

Thank you

ashsevenuk80 · ‎03-28-2019

Hi,

managed to to find the object that was causing a conflict in the firewall rules. Thank you for all your help

the link I sent in my last email was just an alternative, but you’re right, if that object isn’t there then youll get nothing. I found it useful as I tried to search Other objects but without success.

Once again. Thanks

View solution in original post

sk84 · ‎03-26-2019

What are the versions of your NSX Manager and NSX Controllers?

And what do you mean with "but the edge will not upgrade"? Is there an error message during the upgrade process? And how do you upgrade? Through the NSX Upgrade Manager or manually?

When upgrading our Edge Gateways from 6.2.x to 6.3.x and from 6.3.x to 6.4.x in the past, we had problems with static routes, SSL VPN and IPSec VPN configurations because some details changed between versions and the upgrade process failed for some edges. But we could see these "misconfigurations" from the error messages during the upgrade. At the end, we had to adjust these configurations and the upgrade process was successful for all edges.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.

ashsevenuk80 · ‎03-27-2019

Hi,

so the versions for controllers, VIBs on hosts, nsx manager all running 6.4.4. The vcsa has been upgraded to 6.7 including hosts.

Error:[Firewall] invalid grouping object vm-84 the object does not exist or is not available for nsx edge <name>

other errors

edge firewall rule modified as vm-84 is no longer available for edge

current version of edge is 6.2.5

when I try to upgrade, redeploy it spouts the above error message. I’ve disabled HA, migrated the vm to a different host

i have noticed the vm has a different name in the inventory to what it has in nsx, I’ve tried to change the name and migrate the vm after, but that hasn’t changed anything. Still can’t upgrade.

Is there a way to force an upgrade via command line.

the edge has one Uplink and internal. All connected and functional.

Can’t see anything in rules, no vm 84 or reference to this. What if I stop the firewall in the status, and then upgrade. Will it still copy all the rules to the redeployed/upgraded edge

sk84 · ‎03-27-2019

Okay. So you have a firewall rule with an orphaned object (moRef Id vm-84) in the source or destination field and this error prevents the edge gateway from upgrading. Delete or modify this corresponding firewall rule and the upgrade should work.

To find out which VM has this moRef Id vm-84 you can use the MOB:

https://YOUR-VCENTER-HOSTNAME-OR-IP/mob/?moid=vm-84

In the table you should see a property with the name "name". Search for this VM in the firewall rules and update the firewall rule(s).

Maybe this vm was deleted. In that case the mob query will return nothing except a 404 error.

And as a side note:

Renaming edge gateways outside of NSX is not supported and you shouldn't do that. Migrating edge gateways to different hosts in the same cluster via vMotion is supported and possible. But both things aren't responsible for this error. The error message indicates that an object in the firewall rules is missing and that prevents the upgrade. So, the only way is to clean up your firewall rules.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.

ashsevenuk80 · ‎03-27-2019

Hi,

first of all, thank you for your help on this.

Ive tried to locate this via the /mob but nothing is found. is there another way of searching objects in moid? Where in MOB are all the objects listed. I can do a manual search.

Is there any other way of finding which object in the firewall it’s refering to?

sk84 · ‎03-27-2019

You could use the NSX API for that. At first, look for the edge Id in the summary tab of the edge gateway.

If you've found the edge Id (for example: edge-1), you can query the API to get all firewall rules for this edge gateway (replace "edge-1" with your edge Id):

GET https://YOUR-NSX-MANAGER-IP-OR-HOSTNAME/api/4.0/edges/edge-1/firewall/config

In the response body you can search for the string "vm-84" and you should find a rule with a rule tag.

For example:

...
        <firewallRule>
            <id>143400</id>
            <ruleTag>143400</ruleTag>
            <name> </name>
            <ruleType>user</ruleType>
            <enabled>true</enabled>
            <loggingEnabled>false</loggingEnabled>
            <description></description>
            <matchTranslated>false</matchTranslated>
            <action>accept</action>
            <source>
                <exclude>false</exclude>
                <groupingObjectId>ipset-103</groupingObjectId>
            </source>
            <destination>
                <exclude>false</exclude>
                <groupingObjectId>vm-118462</groupingObjectId>
                <groupingObjectId>vm-118463</groupingObjectId>
            </destination>
            <application>
                <applicationId>application-57</applicationId>
                <applicationId>application-53</applicationId>
            </application>
        </firewallRule>
...

If you have the rule tag, you can enable the "Rule Tag" column in the firewall section of the edge Gateway:

Look for the rule tag which you've found via the API call and change or delete this rule.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.

ashsevenuk80 · ‎03-27-2019

Hi,

does the api feature need to be enabled? Getting error: http status 403 forbidden

rest api needs installing?

once again, thank you for your help

also, for those that are reading this. An alternative method to finding the vm in /MOB

VMware Knowledge Base

This will list all the VMS, Host... etc

sk84 · ‎03-27-2019

The REST API of the NSX Manager is enabled by default. But you need a REST client to access it and authenticate yourself. Examples of some common REST clients are Postman or curl.

There are also a lot of articles out there who describe how to access and use the NSX API.

For example:

Getting Started With NSX REST API

also, for those that are reading this. An alternative method to finding the vm in /MOB

The problem is, if the VM was deleted or unregistered, you won't find it through the MOB anymore. The MOB only has a current image of the vSphere environment and no historical data.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.

ashsevenuk80 · ‎03-28-2019

Hi,

managed to to find the object that was causing a conflict in the firewall rules. Thank you for all your help

the link I sent in my last email was just an alternative, but you’re right, if that object isn’t there then youll get nothing. I found it useful as I tried to search Other objects but without success.

Once again. Thanks