8 Replies Latest reply on Mar 28, 2019 1:56 AM by ashsevenuk80

    Upgrade, redeploy the edge fails

    ashsevenuk80 Novice

      Hi,

       

      Im trying to upgrade a single stand alone edge from 6.2.5 to 6.4.4

      hosts, nsx Manager, controllers even the vcsa and host are all up to date but the edge will not upgrade.

      Tried moving it’s resources to another host. Disabled HA for the single edge.

      I have noticed the edge has a different name in vCenter Inventor. I’ve tried to change the name in the inventory but when you go in to the edge it states the old name

       

      let me know if you’ve come a cross this issue before

       

      Thank you

        • 1. Re: Upgrade, redeploy the edge fails
          sk84 Expert
          vExpert

          What are the versions of your NSX Manager and NSX Controllers?

           

          And what do you mean with "but the edge will not upgrade"? Is there an error message during the upgrade process? And how do you upgrade? Through the NSX Upgrade Manager or manually?

           

          When upgrading our Edge Gateways from 6.2.x to 6.3.x and from 6.3.x to 6.4.x in the past, we had problems with static routes, SSL VPN and IPSec VPN configurations because some details changed between versions and the upgrade process failed for some edges. But we could see these "misconfigurations" from the error messages during the upgrade. At the end, we had to adjust these configurations and the upgrade process was successful for all edges.

          • 2. Re: Upgrade, redeploy the edge fails
            ashsevenuk80 Novice

            Hi,

             

            so the versions for controllers, VIBs on hosts, nsx manager all running 6.4.4. The vcsa has been upgraded to 6.7 including hosts.

             

            Error:[Firewall] invalid grouping object vm-84 the object does not exist or is not available for nsx edge <name>

            other errors

            edge firewall rule modified as vm-84 is no longer available for edge

             

            current version of edge is 6.2.5

            when I try to upgrade, redeploy it spouts the above error message. I’ve disabled HA, migrated the vm to a different host

            i have noticed the vm has a different name in the inventory to what it has in nsx, I’ve tried to change the name and migrate the vm after, but that hasn’t changed anything. Still can’t upgrade.

             

            Is there a way to force an upgrade via command line.

             

            the edge has one Uplink and internal. All connected and functional.

            Can’t see anything in rules, no vm 84 or reference to this. What if I stop the firewall in the status, and then upgrade. Will it still copy all the rules to the redeployed/upgraded edge

            • 3. Re: Upgrade, redeploy the edge fails
              sk84 Expert
              vExpert

              Okay. So you have a firewall rule with an orphaned object (moRef Id vm-84) in the source or destination field and this error prevents the edge gateway from upgrading. Delete or modify this corresponding firewall rule and the upgrade should work.

               

              To find out which VM has this moRef Id vm-84 you can use the MOB:

              https://YOUR-VCENTER-HOSTNAME-OR-IP/mob/?moid=vm-84

              In the table you should see a property with the name "name". Search for this VM in the firewall rules and update the firewall rule(s).

               

              Maybe this vm was deleted. In that case the mob query will return nothing except a 404 error.

               

              And as a side note:

               

              Renaming edge gateways outside of NSX is not supported and you shouldn't do that. Migrating edge gateways to different hosts in the same cluster via vMotion is supported and possible. But both things aren't responsible for this error. The error message indicates that an object in the firewall rules is missing and that prevents the upgrade. So, the only way is to clean up your firewall rules.

              1 person found this helpful
              • 4. Re: Upgrade, redeploy the edge fails
                ashsevenuk80 Novice

                Hi,

                 

                first of all, thank you for your help on this.

                Ive tried to locate this via the /mob but nothing is found. is there another way of searching objects in moid? Where in MOB are all the objects listed. I can do a manual search.

                 

                Is there any other way of finding which object in the firewall it’s refering to?

                • 5. Re: Upgrade, redeploy the edge fails
                  sk84 Expert
                  vExpert

                  You could use the NSX API for that. At first, look for the edge Id in the summary tab of the edge gateway.

                   

                  If you've found the edge Id (for example: edge-1), you can query the API to get all firewall rules for this edge gateway (replace "edge-1" with your edge Id):

                  GET https://YOUR-NSX-MANAGER-IP-OR-HOSTNAME/api/4.0/edges/edge-1/firewall/config

                  In the response body you can search for the string "vm-84" and you should find a rule with a rule tag.

                   

                  For example:

                  ...

                          <firewallRule>

                              <id>143400</id>

                              <ruleTag>143400</ruleTag>

                              <name> </name>

                              <ruleType>user</ruleType>

                              <enabled>true</enabled>

                              <loggingEnabled>false</loggingEnabled>

                              <description></description>

                              <matchTranslated>false</matchTranslated>

                              <action>accept</action>

                              <source>

                                  <exclude>false</exclude>

                                  <groupingObjectId>ipset-103</groupingObjectId>

                              </source>

                              <destination>

                                  <exclude>false</exclude>

                                  <groupingObjectId>vm-118462</groupingObjectId>

                                  <groupingObjectId>vm-118463</groupingObjectId>

                              </destination>

                              <application>

                                  <applicationId>application-57</applicationId>

                                  <applicationId>application-53</applicationId>

                              </application>

                          </firewallRule>

                  ...

                   

                  If you have the rule tag, you can enable the "Rule Tag" column in the firewall section of the edge Gateway:

                  ruletag.png

                   

                  Look for the rule tag which you've found via the API call and change or delete this rule.

                  1 person found this helpful
                  • 6. Re: Upgrade, redeploy the edge fails
                    ashsevenuk80 Novice

                    Hi,

                     

                    does the api feature need to be enabled? Getting error: http status 403 forbidden

                    rest api needs installing?

                     

                    once again, thank you for your help

                     

                    also, for those that are reading this. An alternative method to finding the vm in /MOB

                    VMware Knowledge Base

                    This will list all the VMS, Host... etc

                    • 7. Re: Upgrade, redeploy the edge fails
                      sk84 Expert
                      vExpert

                      The REST API of the NSX Manager is enabled by default. But you need a REST client to access it and authenticate yourself. Examples of some common REST clients are Postman or curl.

                       

                      There are also a lot of articles out there who describe how to access and use the NSX API.

                       

                      For example:

                      Getting Started With NSX REST API

                       

                      also, for those that are reading this. An alternative method to finding the vm in /MOB

                      The problem is, if the VM was deleted or unregistered, you won't find it through the MOB anymore. The MOB only has a current image of the vSphere environment and no historical data.

                      • 8. Re: Upgrade, redeploy the edge fails
                        ashsevenuk80 Novice

                        Hi,

                         

                        managed to to find the object that was causing a conflict in the firewall rules. Thank you for all your help

                         

                        the link I sent in my last email was just an alternative, but you’re right, if that object isn’t there then youll get nothing. I found it useful as I tried to search Other objects but without success.

                         

                        Once again. Thanks