Solved: NSX-T 3.1 HTTPS Monitor is Not Supported for LB Se...

AlexAckerman · ‎02-13-2021

So this is strange. I'm following along with the procedures to create a Load Balancer for Workspace ONE Access: https://docs.vmware.com/en/VMware-Validated-Design/6.0/sddc-deployment-of-cloud-operations-and-autom...

I get to the step where I have to create the Server Pool and an annoying problem arises. When I set the Active Monitor to be the HTTPS monitor that I created in an earlier step, it errors out whenever I try to save the Server Pool. It gives me the following error:

The members of the pool have port 443 configured. Only 1 of the members is currently active, but even when I tried to only have a single member (the vm that exists and is running), it still gives me the error. I'm at a loss as to what I need to do.

NSX-T Version: 3.1

vSphere 7.0U1d

vCenter 7.0U1d

Workspace ONE Access 20.10

Thank you in advance!

Ack

shank89 · ‎02-14-2021

You are going to be restricted by your eval license. The feature you are after isn't part of the eval license.

This link may assist you with further licensing, however it doesn't list the eval license. https://kb.vmware.com/s/article/78223

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3

View solution in original post

p0wertje · ‎02-14-2021

Hi,

Could you also show some screenshots of the Virtual-server, the profile and the monitors ? Preferably with all settings

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved

AlexAckerman · ‎02-14-2021

Sure! I've been taking screen captures for my blog. Since I can only add a single attachment, I added them to a PDF document. Comments interspersed. No profile is created as that was the next step I was to take according to the documentation.

Thank you!

Ack

p0wertje · ‎02-14-2021

Hi,

I am trying to reproduce. But without any luck. Not getting the error.
Did you already create a vip? Or just the pool ?

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved

shank89 · ‎02-14-2021

Same here, I just created an active monitor, a server pool with 3 members and setting the active https monitor.

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3

p0wertje · ‎02-14-2021

What license are you using ?

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved

AlexAckerman · ‎02-14-2021

My license is listed as "NSX Data Center Evaluation" from VMUG Advantage. It is still valid. I will try deleting the monitor and pool and recreate again. No VIP has been assigned at this point.

shank89 · ‎02-14-2021

You are going to be restricted by your eval license. The feature you are after isn't part of the eval license.

This link may assist you with further licensing, however it doesn't list the eval license. https://kb.vmware.com/s/article/78223

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3

AlexAckerman · ‎02-14-2021

I think the license is the issue after all. My nsx manager OVA is named nsx-unified-appliance-3.1.0.0.0.17107212-le.ova. The LE I think stands for "Limited Export". Nothing in the official documentation states there are any restrictions on what my evaluation license includes. However, I found a blog https://www.virten.net/2020/04/nsx-t-3-0-evaluation-how-to-download-and-get-license-key/ that states the Limited Edition license doesn't include certain encryption standards.

Hmmmm....It's my SSL certificate that is causing the problem. I have a standard 2048 bit template I use on my homelab network. Do you know if I reduce the keysize that this might work?

shank89 · ‎02-14-2021

With the limited export version I don't believe you will have access to SSL features of the LB.

Shashank Mohan

VCIX-NV 2022 | VCP-DCV2019 | CCNP Specialist

https://lab2prod.com.au
LinkedIn https://www.linkedin.com/in/shankmohan/
Twitter @ShankMohan
Author of NSX-T Logical Routing: https://link.springer.com/book/10.1007/978-1-4842-7458-3

AlexAckerman · ‎02-14-2021

So the solution for me was to not create a L7 Load Balancer, but a L4 TCP one. This one has no active monitor support, but isn't restricted by the SSL limitations of the Evaluation License available through VMUG Advantage. I had been thrown off since Harbor and the vSphere with Tanzu web pages came up with SSL certificates. Looking at their configuration highlighted the way forward for me.

Each of the servers will have to have an SSL certificate for both the server itself and the Load Balanced VIP dns name/ip. Thank you for the feedback.

It's unfortunate VMware restricts these features on these eval licenses. For those of us trying to learn the product and follow along with their published architectures, these feature sets are critical. They don't explain my solution as an alternative in the documentation.

All

NSX-T 3.1 HTTPS Monitor is Not Supported for LB Server Pool

active monitor

load balancers

NSX-T