Re: Can not start l2vpn server

bridgegroup · ‎08-07-2015

Hello community.

For some reason I can not enable L2VPN Service Status on the NSX because of the following error:

Configuration failed on NSX Edge vm <edge-01>.

[61952] Failed to add L2 VPN server configuration. : Invalid Certificate or Private Key

The CSR and SSC were generated.

During l2vpn configuration I point to the created certificate.

It is a fresh installation.

What have I missed?

Thanks

azharsoomro · ‎08-07-2015

Hi Bridgegroup,

You have two options

- Use Edge Private key: On each edge generate a certificate request file, issue a certificate from that file from your CA, import the certificate (package) into the edge. In this case you are using the private key which is generated by the edge for request.

- Use Custom CA Private key: Import a certificate generated form your CA into the Edge. This has been generated with the private key of you CA.

More details on this are mentioned in this blog

Managing NSX Edge and Manager Certificates | Spas Kaloferov's Blog

Thanks

Azhar

bridgegroup · ‎08-07-2015

I've read all these docs before asking here...

I try to explain using pictures

grosas · ‎08-07-2015

In the second screenshot (l2vpn server settings) there is a checkbox "Use System Generated Certificate". Are you checking this setting? Other than that, everything looks great.

_____________________________________
Gabe Rosas (VMware HCX team at VMware)
Blog: hcx.design
LinkedIn: /in/gaberosas
Twitter: gabe_rosas

bridgegroup · ‎08-10-2015

Hello grosas.

No, I do not check this box.

because.

If I use selfsignedcert (do not check this box) I get the following data like here ( selfsignedcert.png)

If I check this box then there is no data is in the cert field (system.cert.png)

In both cases I've got the same error -

Configuration failed on NSX Edge vm pGW-0.

[61952] Failed to add L2 VPN server configuration. : Invalid Certificate or Private Key

What's wrong? ....

Thanks

grosas · ‎08-10-2015

In the admin guide it does say to check the box for using self-signed certs. Maybe something went wrong during CSR / self-signing? I would:

- Delete the cert.

- Reboot the ESG

Open and observe logging for errors/exceptions

Manager > sh manager log follow

Edge > sh log follow

- Generate the CSR

- Self-Sign

- Reconfigure L2VPN server with cert

_____________________________________
Gabe Rosas (VMware HCX team at VMware)
Blog: hcx.design
LinkedIn: /in/gaberosas
Twitter: gabe_rosas

bridgegroup · ‎08-10-2015

Hello grosas

It is a totally fresh installattion.

I had the same error before. So I restarted edge and recreate certificates.

The same problem.

though ssl-vpn service started without any problems

no ideas...

For one service there is no problems with cert for another - it's a nightmare...

larsonm · ‎08-19-2015

Is HA enabled on the Edge appliance on which you are configuring the L2VPN?

I ran into this issue, was running HA. When I disabled HA, the issue was resolved.

bridgegroup · ‎08-19-2015

Hello larsonm

No, there is no any HA configured on the Edge.

Thanks.

p0wertje · ‎08-24-2015

I did the same setup as you on 6.1.4 and it failed with the same error.

I did the setup on 6.2.0 and now it accepts the config.

Try upgrading to 6.2.0

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved

bridgegroup · ‎08-28-2015

Hello p0wertje

It's really very strange.

I have to wait for several days without any changes and now it works.

I can not understand the reason of such behaviour.

All

Can not start l2vpn server