Hi all,
I am configuring PSC HA in a 6.5 environment.
All appliances are at the 6.5 express patch 3 version level. (I copied and replaced the updateSSOConfig.py and UpdateLsEndpoint.py scripts from a GA version of a PSC due to the known issue)
What I have is the following:
vCenter 6.5 connected to an external temporary PSC
2 extra PSCs in the same SSO domain and site as the temporary PSC
(all 3 PSCs are in the same SSO domain and site)
NLB configured in NSX.
I am trying to configure these 2 extra PSCs in a NLB to be able to repoint the vCenter from the temporary PSC to the NLB PSCs.
I have created the certificate and imported it to both extra PSCs.
Then I have successfully run the "python updateSSOConfig.py --lb-fqdn=xxx.xxx.xxx" command on both PSCs.
However when I run the "python UpdateLsEndpoint.py --lb-fqdn=nlb_fqdn --user=administrator@vsphere.local" command I am getting an error message and it doesn´t complete correctly.
The endpoints don´t update.
The error message is attached.
I see the following in the error message:
Invalid value of command option ´--site´, value:´ ´
That implies to me that the command is expecting a different site-name than the current site-name i.e. the site-name cannot be null?
If I try adding the --site parameter to the command it fails saying that that is not how to run the command correctly.
Has anyone seen this message before or do you know what is happening here?
I tested everything in a lab however, I used Netscaler in my lab and also I only had the 2 PSCs to play with (no vCenter connected to a temp PSC).
Anybody??
Regards
Mark
Hi all,
I eventually raised a case with GSS and they told me that it is not possible to install a PSC HA on 2 PSCs if another PSC already exists in the SSO site.
That implies that it is only possible to install a PSC HA NLB from zero i.e. without NSX.
Also in vSphere 6.5 it is again not possible to repoint a vCenter to another PSC in a different SSO site (it was possible in vSphere 6.0).
So it isn´t an option to move the temporary PSC to another site either.
The support rep could not tell me why it is not possible to run the command in my type of environment nor could he point me to the official KB or a well known blog that mentions that point neither.
Also if you check the official KB for VMware on how to configure a NSX NLB for the PSC HA, there is a small note that says that it is assumed that NSX is already installed and configured.
All this points to the fact that in vSphere 6.5 you cannot deploy a PSC HA, using an NSX NLB, from zero.
It is because of the classic chicken and egg syndrome: You need a vCenter to install the NSX software but you need the PSC HA to install the vCenter and NSX.
That leads me to believe that the only way to get to the ideal configuration (and what VMware officially support) is to use a third party NLB like NetScaler first, install the PSC HA using the 3rd party NLB and then deploy the vCenter by pointing it to the VIP of the 3rd party NLB.
Then when the NSX is deployed, configure the NLB component of NSX with the same information as the 3rd party NLB and then simply turn off the 3rd party NLB leaving just the NSX NLB servicing the PSC HA.
I feel a little bit hard done by because of the lack of documentation regarding this limitation of PSC HA and now I will have to destroy my vCenter and the temporary PSC to be able to run the above mentioned process.
Its worth mentioning also that in the blogs and KBs regarding the configuration of PSC HA with NSX, the key file that you need (to be able to import the certificate into NSX) does not come in the correct format. You need to run the openssl command with the rsa parameter. Here is an example of that command:
openssl rsa -in lb.key -out rsalb.key
I hope that VMware put this limitation in writing so as to not have anyone else fall into the same trap.
Hopefully this helps someone.
Regards
Hi all,
I eventually raised a case with GSS and they told me that it is not possible to install a PSC HA on 2 PSCs if another PSC already exists in the SSO site.
That implies that it is only possible to install a PSC HA NLB from zero i.e. without NSX.
Also in vSphere 6.5 it is again not possible to repoint a vCenter to another PSC in a different SSO site (it was possible in vSphere 6.0).
So it isn´t an option to move the temporary PSC to another site either.
The support rep could not tell me why it is not possible to run the command in my type of environment nor could he point me to the official KB or a well known blog that mentions that point neither.
Also if you check the official KB for VMware on how to configure a NSX NLB for the PSC HA, there is a small note that says that it is assumed that NSX is already installed and configured.
All this points to the fact that in vSphere 6.5 you cannot deploy a PSC HA, using an NSX NLB, from zero.
It is because of the classic chicken and egg syndrome: You need a vCenter to install the NSX software but you need the PSC HA to install the vCenter and NSX.
That leads me to believe that the only way to get to the ideal configuration (and what VMware officially support) is to use a third party NLB like NetScaler first, install the PSC HA using the 3rd party NLB and then deploy the vCenter by pointing it to the VIP of the 3rd party NLB.
Then when the NSX is deployed, configure the NLB component of NSX with the same information as the 3rd party NLB and then simply turn off the 3rd party NLB leaving just the NSX NLB servicing the PSC HA.
I feel a little bit hard done by because of the lack of documentation regarding this limitation of PSC HA and now I will have to destroy my vCenter and the temporary PSC to be able to run the above mentioned process.
Its worth mentioning also that in the blogs and KBs regarding the configuration of PSC HA with NSX, the key file that you need (to be able to import the certificate into NSX) does not come in the correct format. You need to run the openssl command with the rsa parameter. Here is an example of that command:
openssl rsa -in lb.key -out rsalb.key
I hope that VMware put this limitation in writing so as to not have anyone else fall into the same trap.
Hopefully this helps someone.
Regards
Hi all, I just found this old post and wanted to update it as the info that I was originally given was incorrect.
It IS possible to install a PSC HA if other PSCs already exist.
The best method to do what I was looking for at that time would actually be to deploy the first PSC as integrated with the vCenter appliance.
Then deploy the additional PSCs and do the repoint to the PSC HA afterwards.
When you do the repoint, that automatically destroys the embedded PSC in the vCenter.
FYI after a lot of troubleshooting and analysis, I eventually found that my problem existed because the NSX Load balancer had not been configured correctly.
Therefor when I ran the command that goes to the Load balanced IP address of the PSCs, it was not finding the PSC services and hence failing.
When the NSX NLB had been configured correctly, the commands finished without problems.
I hope that helps someone.
Regards
