Solved: NSX Integration with Fortinet (Forti-VMX)

leosilvapaiola · ‎03-29-2017

Hello community,

I'm having some issues when trying to integrate our NSX lab with Fortinet (main goal here is achieve microsegmentation with a third party).

We are using as reference the pdf guide attached.

Now, the configurations from NSX point of view are as follow:

1.- Configure the Agent VM setting, for some reason when I configure it from the web client, the "network" section appears in blank but I made sure through the desktop client:

2.- Configure Host Preparation (This was already in place before we try this integration), no problem there:

3.- Configure services definitions: check!

4.- Configuring the "service deployment" is the problem, I'm having the following error:

Error: Installation of deployment unit failed, please check if ovf/vib urls are accessible, in correct format and all properties in ovf environment have been configured in service attributes, please check logs for details

I've been trying to troubleshoot this, following this guides:

1.- Deployment of VMware endpoint service in NSX. and then NSX-v Host Preparation – VMware Professional Services

In the last URL, the approach focus in the "Host Preparation" that as far as for me goes, it's fine.

2.- I found a solution in a Checkpoint's KB article:

I run that command in vCenter CLI but it says:

vcenter:~ # cat /var/log/vmware/vpx/eam.log

cat: /var/log/vmware/vpx/eam.log: No such file or directory

I've try many times with different syntaxis and still receiving the same error each time.

3.- Similar article from Trendmicro and following the resolution, did not worked:

So in conclusion I'm open to suggestions, comments, advises and in case you need more info, like logs please let me know how to fetch it and I'll be more than happy to provide it.

Help please !!!

leosilvapaiola · ‎04-02-2017

bayupw

Bayu great news!

I didn't have to remove the entire Service Definition, I just changed the URL (because like I said before we had to changed the location for the web server in the middle of the installation) here:

Service Definitions Edit	OVF URL CHANGE

Now we have this:

Service Deployment UP

So I'll continue from this point on and see how it goes.

Thanks for your support bayupw

View solution in original post

erikverbruggen · ‎03-29-2017

When you do the service deployment, does it even start deploying the service VM? Do you see a task starting to deploy the OVA? If not, then you need to check the vCenter eam log and the ESXi vmkernel log why it doesn't start.

Location of the log files in a vSphere 6.0 environment can be found here, Location of VMware vCenter Server 6.0 log files (2110014) | VMware KB and here, vSphere 6.0 Documentation Center

leosilvapaiola · ‎03-29-2017

Thanks for your reply erikverbruggen,

I ran the command:

cat /var/log/vmware/eam/eam.log

But the output is so long I do not know what I'm looking for.

Can you give me a clue?

bayupw · ‎03-29-2017

In my experiences, you can use either the Agent VM settings in every ESXi hosts and point the NSX Manager Service Deployment configuration to use 'Specified on host'

Or you can also ignore the Agent VM settings and just config the datastore and portgroup globally in the NSX Manager Service Deployment

This is also stated in the FortiGate-VMX Installation Guide page 16

Configuring ESXi Agent VM Settings

The Agent VM Settings must be properly set on each ESXi host which you plan to make part of the cluster.

For larger environments, these values can also be configured via the NSX Manager during the Service Deployment step.

Regarding the logs, try

cat /var/log/vmware/eam/eam.log | grep "URL"

or

cat /var/log/vmware/eam/eam.log | grep "Validating URL"

Take a note when the configuration was failed so you can look at those window time.

You can share/upload the logs here as well if you don't mind to share any config information that might be inside the log.

By the way NSX 6.1.x is end of support End of General Support: VMware NSX for vSphere 6.1.x (2144769) | VMware KB

I would suggest you to use NSX 6.2.x, FortiGate-VMX is supported in NSX 6.2.x as per this KB Fortinet FortiGate-VMX, VMware NSX v6.2.2, VMware vSphere v6.0 (2146818) | VMware KB

Double check your NTP & DNS (forward & reverse) settings. Make sure vCenter, NSX Manager, ESXi hosts time are sync and the forward & reverse DNS can be resolved

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

leosilvapaiola · ‎03-30-2017

Bayu thanks for your reply,

I'm gonna do the upgrade first, I'm gonna take it to 6.2 version and then I'll try the configuration again, I'll come back with the news.

Thanks again

leosilvapaiola · ‎03-31-2017

bayupw

Hello again Bayu,

So I took the first suggestion and I upgraded the NSX to version 6.2 (my GOD that took a lot of time!)

Now I'm following the time sync configuration and I found a problem (I was using different NTPs or there were no NTP servers configured). So I set up everybody to server 0.pool.ntp.org.

That is: ESXi Host (using web client), NSX Manager (using NSX manager web interface) and vCenter Server Appliance (using CLI commands)

Now I'm having this issue with the time zones:

NTP config

For vCenter Server Appliance:

Fri Mar 31 16:08:16 UTC 2017

For ESXi host:

Fri Mar 31 17:06:50 UTC 2017

For NSX Manager:

Fri Mar 31 12:06:32 EDT 2017

As you can see, vCenter and ESXi share the same time zone (UTC) but differs in 1 hour.

And the NSX Manager uses EDT time zone (which BTW is the one I should use)

Now I was looking at: vCenter 5.5 Cannot change timezone

And to this other couple of URLs: Adjusting ESX host Time Zone (1436) | VMware KB & https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=20579...

And as a conclusion (correct me if I'm wrong) I have the following scenario:

I can not change the timezone for vCenter using the vCenter console (Already checked)

I can not change the timezone for ESXi host version 5.x plus using CLI commands (did not checked, just read about it)

The only way I see is this: vSphere 6.0 Documentation Center

Which is connecting to the vCenter Server Appliance (using: https://IPaddressVCENTER:5480) but I can't. Is like that service is not available. I also have browsed through the vCenter console but there's not too many options in there.

What would be the recommendation? What would you do?

Because everytime I try any configuration, the error is regarding the NTP misconfiguration.

I'm losing my mind.... SOS.

leosilvapaiola · ‎03-31-2017

Nevermind, bayupw

I set up the time zone in the nsx manager (even though is the wrong one) but now it maches the vcenter NTP config

NTP config new

Still have a differ with the ESXi config but the errors seems to stop. I'll get back with more news.

bayupw · ‎03-31-2017

Yes timezone should be fine as long as all components are sync to a same NTP.

Timezone is just for your convenient only in my opinion.

All logs will be in UTC too.

So if you are looking for logs, don't forget to look against UTC timezone

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

leosilvapaiola · ‎03-31-2017

Ok so I tried the

And I started to check on the logs (I'm not really sure how to export the entire log for you to see) and something caught my attention:

(eam.Agent.ConfigInfo) {

dvFilterEnabled = <unset>,

rebootHostAfterVibUninstall = <unset>,

vmciService = String [

'dvfilter:SlowPathConnect',

],

productLineId = <unset>,

vibName = <unset>,

hostVersion = '6.*',

vibMatchingRules = <unset>,

ovfPackageUrl = 'http://10.1.20.99/fgt-vmx/FortiGate-VMX.ovf',

ovfEnvironment = (eam.Agent.OvfEnvironmentInfo) {

ovfProperty = (eam.Agent.OvfEnvironmentInfo.OvfProperty) [

(eam.Agent.OvfEnvironmentInfo.OvfProperty) {

value = 'serviceinstance-1',

key = 'agentName',

},

(eam.Agent.OvfEnvironmentInfo.OvfProperty) {

value = '10.1.1.1',

key = 'serviceManagerIP',

},

],

},

Now the first time we placed the VMX.ovf was in that server but we changed it to 10.6.0.159 and even changed the port to 8085.

Maybe I need to reset the eam agent so it can cuaght up with the change?

Is that possible?

bayupw

leosilvapaiola · ‎03-31-2017

Here is the outpu for the first command:

vcenter:~ # cat /var/log/vmware/eam/eam.log | grep "URL"

at com.vmware.eam.AgencyImpl.checkURL(AgencyImpl.java:1089)

bayupw · ‎04-01-2017

As far as I know the URL configuration is under FortiGate VMX-Service-Manager > VMware > Settings

If the URL/Image location has been updated and the eam logs showing that, try to remove the existing Fortigate VMX service definition from NSX under Networking & Security> Installation > Service Deployment.

Remove the service definition for Fortigate VMX and create a new one.

You could also try restarting the EAM, see this blog post NSX Host preparation failure. Restart EAM – vLenzker

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

leosilvapaiola · ‎04-02-2017

bayupw

Bayu great news!

I didn't have to remove the entire Service Definition, I just changed the URL (because like I said before we had to changed the location for the web server in the middle of the installation) here:

Service Definitions Edit	OVF URL CHANGE

Now we have this:

Service Deployment UP

So I'll continue from this point on and see how it goes.

Thanks for your support bayupw

leosilvapaiola · ‎04-02-2017

I'm sorry the other jpeg did not show up in the last reply:

bayupw · ‎04-02-2017

Hi Leo, glad to hear you got it working and thanks for sharing this information.

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw