Hello community,
I'm having some issues when trying to integrate our NSX lab with Fortinet (main goal here is achieve microsegmentation with a third party).
We are using as reference the pdf guide attached.
Now, the configurations from NSX point of view are as follow:
1.- Configure the Agent VM setting, for some reason when I configure it from the web client, the "network" section appears in blank but I made sure through the desktop client:
2.- Configure Host Preparation (This was already in place before we try this integration), no problem there:
3.- Configure services definitions: check!
4.- Configuring the "service deployment" is the problem, I'm having the following error:
Error: Installation of deployment unit failed, please check if ovf/vib urls are accessible, in correct format and all properties in ovf environment have been configured in service attributes, please check logs for details
I've been trying to troubleshoot this, following this guides:
1.- Deployment of VMware endpoint service in NSX. and then NSX-v Host Preparation – VMware Professional Services
In the last URL, the approach focus in the "Host Preparation" that as far as for me goes, it's fine.
2.- I found a solution in a Checkpoint's KB article:
I run that command in vCenter CLI but it says:
vcenter:~ # cat /var/log/vmware/vpx/eam.log
cat: /var/log/vmware/vpx/eam.log: No such file or directory
I've try many times with different syntaxis and still receiving the same error each time.
3.- Similar article from Trendmicro and following the resolution, did not worked:
So in conclusion I'm open to suggestions, comments, advises and in case you need more info, like logs please let me know how to fetch it and I'll be more than happy to provide it.
Help please !!!
bayupw
Bayu great news!
I didn't have to remove the entire Service Definition, I just changed the URL (because like I said before we had to changed the location for the web server in the middle of the installation) here:
Service Definitions Edit | OVF URL CHANGE |
---|---|
Now we have this:
Service Deployment UP |
---|
So I'll continue from this point on and see how it goes.
Thanks for your support bayupw
When you do the service deployment, does it even start deploying the service VM? Do you see a task starting to deploy the OVA? If not, then you need to check the vCenter eam log and the ESXi vmkernel log why it doesn't start.
Location of the log files in a vSphere 6.0 environment can be found here, Location of VMware vCenter Server 6.0 log files (2110014) | VMware KB and here, vSphere 6.0 Documentation Center
Thanks for your reply erikverbruggen,
I ran the command:
cat /var/log/vmware/eam/eam.log
But the output is so long I do not know what I'm looking for.
Can you give me a clue?
In my experiences, you can use either the Agent VM settings in every ESXi hosts and point the NSX Manager Service Deployment configuration to use 'Specified on host'
Or you can also ignore the Agent VM settings and just config the datastore and portgroup globally in the NSX Manager Service Deployment
This is also stated in the FortiGate-VMX Installation Guide page 16
Configuring ESXi Agent VM Settings
The Agent VM Settings must be properly set on each ESXi host which you plan to make part of the cluster.
For larger environments, these values can also be configured via the NSX Manager during the Service Deployment step.
Regarding the logs, try
cat /var/log/vmware/eam/eam.log | grep "URL"
or
cat /var/log/vmware/eam/eam.log | grep "Validating URL"
Take a note when the configuration was failed so you can look at those window time.
You can share/upload the logs here as well if you don't mind to share any config information that might be inside the log.
By the way NSX 6.1.x is end of support End of General Support: VMware NSX for vSphere 6.1.x (2144769) | VMware KB
I would suggest you to use NSX 6.2.x, FortiGate-VMX is supported in NSX 6.2.x as per this KB Fortinet FortiGate-VMX, VMware NSX v6.2.2, VMware vSphere v6.0 (2146818) | VMware KB
Double check your NTP & DNS (forward & reverse) settings. Make sure vCenter, NSX Manager, ESXi hosts time are sync and the forward & reverse DNS can be resolved
Bayu thanks for your reply,
I'm gonna do the upgrade first, I'm gonna take it to 6.2 version and then I'll try the configuration again, I'll come back with the news.
Thanks again
bayupw
Hello again Bayu,
So I took the first suggestion and I upgraded the NSX to version 6.2 (my GOD that took a lot of time!)
Now I'm following the time sync configuration and I found a problem (I was using different NTPs or there were no NTP servers configured). So I set up everybody to server 0.pool.ntp.org.
That is: ESXi Host (using web client), NSX Manager (using NSX manager web interface) and vCenter Server Appliance (using CLI commands)
Now I'm having this issue with the time zones:
NTP config |
---|
For vCenter Server Appliance:
Fri Mar 31 16:08:16 UTC 2017
For ESXi host:
Fri Mar 31 17:06:50 UTC 2017
For NSX Manager:
Fri Mar 31 12:06:32 EDT 2017
As you can see, vCenter and ESXi share the same time zone (UTC) but differs in 1 hour.
And the NSX Manager uses EDT time zone (which BTW is the one I should use)
Now I was looking at: vCenter 5.5 Cannot change timezone
And to this other couple of URLs: Adjusting ESX host Time Zone (1436) | VMware KB & https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=20579...
And as a conclusion (correct me if I'm wrong) I have the following scenario:
I can not change the timezone for vCenter using the vCenter console (Already checked)
I can not change the timezone for ESXi host version 5.x plus using CLI commands (did not checked, just read about it)
The only way I see is this: vSphere 6.0 Documentation Center
Which is connecting to the vCenter Server Appliance (using: https://IPaddressVCENTER:5480) but I can't. Is like that service is not available. I also have browsed through the vCenter console but there's not too many options in there.
What would be the recommendation? What would you do?
Because everytime I try any configuration, the error is regarding the NTP misconfiguration.
I'm losing my mind.... SOS.
Nevermind, bayupw
I set up the time zone in the nsx manager (even though is the wrong one) but now it maches the vcenter NTP config
NTP config new |
---|
Still have a differ with the ESXi config but the errors seems to stop. I'll get back with more news.
Yes timezone should be fine as long as all components are sync to a same NTP.
Timezone is just for your convenient only in my opinion.
All logs will be in UTC too.
So if you are looking for logs, don't forget to look against UTC timezone
Ok so I tried the
And I started to check on the logs (I'm not really sure how to export the entire log for you to see) and something caught my attention:
(eam.Agent.ConfigInfo) {
dvFilterEnabled = <unset>,
dvFilterEnabled = <unset>,
rebootHostAfterVibUninstall = <unset>,
vmciService = String [
'dvfilter:SlowPathConnect',
],
productLineId = <unset>,
vibName = <unset>,
hostVersion = '6.*',
vibMatchingRules = <unset>,
ovfEnvironment = (eam.Agent.OvfEnvironmentInfo) {
ovfProperty = (eam.Agent.OvfEnvironmentInfo.OvfProperty) [
(eam.Agent.OvfEnvironmentInfo.OvfProperty) {
value = 'serviceinstance-1',
key = 'agentName',
},
(eam.Agent.OvfEnvironmentInfo.OvfProperty) {
value = '10.1.1.1',
key = 'serviceManagerIP',
},
],
},
Now the first time we placed the VMX.ovf was in that server but we changed it to 10.6.0.159 and even changed the port to 8085.
Maybe I need to reset the eam agent so it can cuaght up with the change?
Is that possible?
bayupw
Here is the outpu for the first command:
vcenter:~ # cat /var/log/vmware/eam/eam.log | grep "URL"
at com.vmware.eam.AgencyImpl.checkURL(AgencyImpl.java:1089)
at com.vmware.eam.AgencyImpl.checkURL(AgencyImpl.java:1089)
at com.vmware.eam.AgencyImpl.checkURL(AgencyImpl.java:1089)
at com.vmware.eam.AgencyImpl.checkURL(AgencyImpl.java:1089)
at com.vmware.eam.AgencyImpl.checkURL(AgencyImpl.java:1089)
at com.vmware.eam.AgencyImpl.checkURL(AgencyImpl.java:1089)
As far as I know the URL configuration is under FortiGate VMX-Service-Manager > VMware > Settings
If the URL/Image location has been updated and the eam logs showing that, try to remove the existing Fortigate VMX service definition from NSX under Networking & Security> Installation > Service Deployment.
Remove the service definition for Fortigate VMX and create a new one.
You could also try restarting the EAM, see this blog post NSX Host preparation failure. Restart EAM – vLenzker
bayupw
Bayu great news!
I didn't have to remove the entire Service Definition, I just changed the URL (because like I said before we had to changed the location for the web server in the middle of the installation) here:
Service Definitions Edit | OVF URL CHANGE |
---|---|
Now we have this:
Service Deployment UP |
---|
So I'll continue from this point on and see how it goes.
Thanks for your support bayupw
I'm sorry the other jpeg did not show up in the last reply:
Hi Leo, glad to hear you got it working and thanks for sharing this information.