All Topics

Hello sir, I have a question for NSX backup, I configured a sftp server, it seems good but I got a error when autobackup are running As you can see a screenshot node backup is ok but cluster backup is failed. But, If I click the button (start backup), node and cluster backup are always ok, so I think this isn't problem ok sftp server. Could you give me a advice for this issue?  Regards

After upgrading from v3.2.2 to v4.1.2, I see lots of warnings about expired self-signed certs issued to internal services such as ar, ccp, mp, monitoring, cluster-manager, and idps-reporting.  There are three warnings for each service, one for each node.  Looks like they expired a year ago, but are just now throwing warnings.  Are these legacy certs that aren't needed after the upgrade?  Can they be safely deleted? NSX is working fine even with all the expired certs.

Hi When I checked vRealize Log Insight, I found that some logs have the same source ports and some logs have different source ports each other. What's the difference between these following cases?   --------------------------------------------------------------------------------------   2023. 11. 6. 10:15:9.659 FIREWALL-PKTLOG: INET match PASS 9642 OUT 52 TCP 00.00.43.72/5614->00.00.145.11/343 S 2023. 11. 6. 10:15:9.106 FIREWALL-PKTLOG: INET match PASS 9642 OUT 52 TCP 00.00.43.72/5614->00.00.145.11/343 S 2023. 11. 6. 10:15:8.602 FIREWALL-PKTLOG: INET match PASS 9642 OUT 52 TCP 00.00.43.72/5614->00.00.145.11/343 S 2023. 11. 6. 10:15:42.055 FIREWALL-PKTLOG: INET TERM PASS 9642 OUT TCP RST 00.00.43.72/5616->00.00.145.11/343 1/1 52/40 2023. 11. 6. 10:15:33.077 FIREWALL-PKTLOG: INET TERM PASS 9642 OUT TCP RST 00.00.43.72/5615->00.00.145.11/343 1/1 52/40 2023. 11. 6. 10:15:32.065 FIREWALL-PKTLOG: INET TERM PASS 9642 OUT TCP RST 00.00.43.72/5614->00.00.145.11/343 1/1 52/40 2023. 11. 6. 10:15:32.065 FIREWALL-PKTLOG: INET TERM PASS 9642 OUT TCP RST 00.00.43.72/5613->00.00.145.11/343 1/1 52/40

Hello.  We have an NSX-T environment in which we are trying to determine source of broadcast traffic from IP 250.250.254.254.  The traffic is captured between two ESXi hosts that have NSX-T edge nodes installed.   We have three edge nodes installed in a cluster.  Looking at the attached screenshot, the traffic is traversing via a Geneve tunnel between the two NSX-T edge nodes.   Could the traffic from 250.250.254.254 be a heartbeat message between the NSX-T edge nodes?  Looking at the timestamps in the attached screenshot, there is quite a bit of traffic from 250.250.254.254.  Thanks in advance for any comments and insight.  

HI All,   We recently faced a storage failure in one of our secondary sites, which resulted into NSX edge node being completely deleted (the edge VMs no longer exists). As a result we had to redploy the edge node and reconfigure the NSX on the hosts. For the task, we removed previously used T1, T0 and were trying to remove the failed Edge nodes but when we initiated the edge node deletion, it could not be deleted and the status is set to Deletion Failed. We did try the KB https://kb.vmware.com/s/article/89283 but the api call does not do anything, the Failed Edge nodes still exists. I will be very grateful for any suggestions. NSX-T Version:  4.1.0.2.0.21761691 Thank You.

Hello team, I'm currently facing an issue during the NAPP deployment using the automation appliance. The deployment process appears to be stuck with the message "TKGs status is configuring, please wait." In the course of troubleshooting, I also identified an error message in the vCenter logs, which reads as follows: "Resource Type Deployment, Identifier vmware-system-netop/vmware-system-netop-controller-manager is not found." If any of you have experience with a similar problem or have suggestions for how to address this error, please do not hesitate to share your thoughts.

Hi Team Physical uplink ECMP up to 8 Ways (Towards 8 different uplinks) Each SR support ECMP up to 8 paths (8 different Next Hop)   That means we can have  1edge cluster= SR(8nexthop)*8= total 64 paths supported Is my understanding correct ? Regards, Miltan    

I've started evaluating the Avi/NSX ALB product a short while ago and try to automate the creation of some of the objects. When using the macro API to create a virtual service I cannot get past the "Input object does not have model_name field" error. How this works is pretty confusing. First I have created a new virtual service using the UI and captured the query using the browsers' developer mode. Afterwards I used curl to make a request, for which I copied the payload 1:1 from what was captured earlier. The error "Input object does not have model_name field" accompanzing a http error 400 was returned. I've checked the payload, the model_name field was actually missing. Instead the "uri_path":"/api/virtualservice" was present. Manually adding the "model_name": "VirtualService" field to the payload did not resolve the error. Using the example provided in MACRO API (avinetworks.com) also results in the error mentioned above. Am I doing something wrong here? How does the query work, when executed using the UI without the model_name field? Overall, the REST API makes a pretty janky first impression. I've noticed a similar problem when creating a new server pool. Copied the payload from browser dev mode, query returns an errro 400 with reason of being not able to interpret the healt monitor field...

Hi everyone, Let say we have single converge vds with single vtep. We create two separate t0 and t1 routers: T0-a, t1-a T0-b, t1-b Can we do that ? Or do we need two converge vds with their vteps , one vds for t0-a,t1-a, and other vds for t0-b,t1-b? Much appreciated!!

Good evening, I've got an NSX Environment running on 4.1 (upgraded from 3.0 over the last year) and i wanted to take a look at NSX Federation and therefore deployed the global manager and added my local manager to the Location Manager. Since i had Identity Based Rules, Bridges and vRNI Data Collection active the GM told me that this needs to be removed which i successfully did. Now i'm sitting on the last message and don't know where to start so that i can finally import the local manager Data. The error i have in the GUI is: Unable to import due to these unsupported features: Multi Overlay Transport Zone.   gmanager.log says: errors=[com.vmware.nsx.management.gm.onboarding.exceptions.ConfigOnboardingException: Entity MULTI_OVERLAY_TZ_USE_COUNT at site HZ is not supported for configuration import on GM. Please delete entity MULTI_OVERLAY_TZ_USE_COUNT from the site HZ and try again. From what i've found with Google "Multi Overlay TZ Use" refers to having multiple Overlay Transport Zones on 1 Host Switch either within the Transport Nodes or Edges. But all my Host Transport Nodes and Edges are only having 1 Overlay Transport Zone for the Segments and 1 VLAN Transport Zone for Edge-Uplinks included (Single Subnet vTEP). Edge-Node:   ESXi-Host Transport Node Profile:     So that each Location have their own set of Overlay and VLAN TZs, which should be fine i guess. Unfortunately i can't find any information either on the Local Manager or on the Global manager how to delete that MULTI_OVERLAY_TZ_USE_COUNT entity. Could you help me, how to find that? Or do i need to actually seperate the Overlay Transport Zone and VLAN Transport Zone into seperate Switches? (Edge is using the VLAN Segments on the NSX activated ESXi-Hosts)   Thanks and best regards!

Starting with NSX version 4.1, many more certificates are visible in NSX. Those certificates have always been present on the platform, even in previous versions, but it was impossible to lifecycle them. This document will help the reader understand the purpose of all the certificates part of the NSX platform. It will provide examples covering common certificate-related tasks an NSX administrator may tackle while administering NSX. To make these examples reproducible, they are presented in the form of bash scripts. We opted to use bash for maximum portability. The scripts mainly use curl to perform API calls to the NSX API and use the jq to process the returned JSON data structures. You must install jq on your system to run the sample scripts. You can use your system package manager (i.e., apt or homebrew) The scripts are provided for educational purposes only. You should perform your validations before leveraging them on production systems. The current doc applies to NSX version 4.1.1 and later  Note: copy and paste from the PDF doc will lead to formatting errors. All the scripts are available on GitHub for easy copy and paste: https://github.com/vmware-nsx/nsx_certificates_cookbook Author: NSX Product Team

Yes, I'm talking about NSX-v, version 6.4.x. Currently I don't see a way to list all the typed-in commandline records from basic/privilege/configuration mode; it seemed that using the up and down arrow keys would be the fastest solution. The "show log" command(such as "show log appmgmt follow") didn't help. It only tells something look like services' status. Does anyone know?

Hi,  I am trying to set up some email alerting on my ALB appliances.  I have created some custom alert configs,  that trip when a pool member down event occurs.  The alert works fine,  but it takes around 2 minutes for it to show up under "all alerts" once it shows up under there then I get an email pretty quickly.  I need these alerts to be "real time" not 2 minutes after they occur.  Any ideas/thoughts on what I have misconfigured?   Thank you, Tony

Hi guys, Does anybody know how security policies sorting works (via REST API)? Through UI we can easily change the order of the policies, however through API we have the sequence number mechanism to handle that. After some tests using REST API, I'm facing an odd behavior: 1. We have created a policy several times, using the same sequence number 2. On both UI and REST API, the policy appears in a different order from run to run Expected behavior: From run to run, we are expecting to have the policy on the same position (assuming that no other polices were added/updated/removed) We would like to know which is the criteria to order security policies with the same sequence number. Is there any possibility to change that behavior? Thanks. Regards.

Hello, I have an ESXi host with a public IP address, and it is connected to the vCenter via the public IP address. Given that I am unable to move the ESXi into a private network, I'm considering using VMware NSX DFW to enhance its security against ransomware. Would this solution suffice? Regards,