This post is part of my VMware VCIX-NV Study Guide and covers troubleshooting common installation and configuration issues.
- Troubleshoot port assignments in an NSX implementation
- Troubleshoot lookup service configuration
- Troubleshoot vCenter Server integration
- Troubleshoot licensing issues
- Troubleshoot permissions issues
- Troubleshoot host preparation issues
- Troubleshoot IP pool issues
Troubleshooting NSX installation
Order of operations with a NSX installation is important. If you skip a step or forget to fulfil a prerequisite, you will have issues in completing the installation in peaceful harmony. This page lists some of the most common issues you can run into and methods to troubleshoot those.
I’m not exactly sure what they mean with port assignments. It can be several things; network ports for communication between the NSX Manager and the vSphere platform, virtual machine vnic or edge gateway ports assignments to logical switches, or VXLAN network ports on the ESXi hosts or even service ports assignments in the distributed firewall.
Being pretty sure these topics are covered in other troubleshooting topics, I’m not defining them here.
VMware Documentation: Unable to Configure Lookup Service
The Lookup Service is an optional configuration for the NSX installation and allows you to configure group based authentication within the NSX Manager. Things to check when you’re unable to configure the lookup service (or SSO):
- Time settings. As with Active Directory, time is an important thing to have down when using the lookup service. Make sure the lookup service and NSX Manager are in the same timezone and have the same time. Also configure NTP servers on both components.
- DNS is another important service to get right. Make sure all components have a valid forward and reverse record.
- If there’s a firewall between the NSX Manager and the Lookup Service server, make sure TCP port 7444 is allowed.
- Lastly, make sure you’re using an admin user (preferably firstname.lastname@example.org)
|Lookup Service DNS issues|
VMware Documentation: Unable to Configure vCenter Server
The vCenter integration is crucial. Without registering a vCenter within the NSX Manager, you will not be able to use the NSX features in your virtual environment. This vCenter mapping is currently a one-to-one relationship, which means you can only register one vCenter with one NSX Manager. Fortunately, there are not many things that can go wrong when registering a vCenter to the NSX Manager.
A few things to check:
- IP Reachability. Make sure NSX Manager and vCenter can reach each other through the network. Preferably put then in the same subnet so there’s no firewall in between. If you for some reason require a firewall between the vCenter server and NSX Manager, make sure the right ports are allowed. Required ports are listen below in a table.
- DNS settings. The entire vSphere suite and NSX relies heavily on DNS. Get this one right.
- Authentication to vCenter. When registering vCenter, you need to enter credentials to login with. Make sure these are credentials with administrator privileges.
- Time settings. Make sure the NSX Manager and the vCenter are in sync when it comes to the time. Use a NTP server on both to make sure.
Network ports required for NSX Manager communication:
VMware Documentation: Install and Assign NSX for vSphere License
Some tips to troubleshoot licensing issues:
- Have a look at the License Reporting module in the vSphere Web Client. It needs to be installed and linked to your vCenter server to have any use. Find the reporting module in: Home – Licensing.
- Navigate to “Networking & Security” and select the “Service Composer” menu.
- Make sure the “NSX for vSphere” license is assigned to NSX under the “Solutions” tab of the licensing module in vCenter.
- Make sure the ESXi and vCenter servers are properly licensed.
VMware Documentation: User Management
Troubleshooting permissions issues
- Make sure the user has the proper role. There are four roles:
- Auditor: This role can view settings, events and reports. A read-only role.
- Security Administrator: The Security Administrator can manage all security related settings, such as the firewall services, NAT, SpoofGuard, Security Groups, etc.
- NSX Administrator: This role can deploy and configure NSX Edges, Logical Switches, etc.
- Enterprise Administrator: This role can do anything within NSX.
- Make sure the user has the proper scope. There are 2 scopes:
- No restriction: Access to all of NSX.
- Limit access: Only access to a certain Edge gateway.
- Check which groups the user is a member of. Users can inherit permissions from groups, as you can grant a group permissions. If the user has a direct role, this will override any group permissions the user already has.
VMware Documentation: Prepare Clusters for Network Virtualization
The proper preparation of your ESXi hosts is crucial to a working environment. If any host has issues with its NSX or distributed firewall vib installation, or VXLAN configuration, your virtual network will have a black hole or work intermittently.
Troubleshooting host preparation
- Check whether all ESXi hosts in your cluster are properly prepared: Networking & Security – Installation – Host Preparation. All hosts should be marked as “Ready”. If any or all ESXi hosts are “Not Ready” – use the “Resolve” action to start resolving the installation issues.
- Check VXLAN configuration on ESXi hosts. Under the Installation – Host Preparation tab, check the VXLAN column. All ESXi hosts should report the status of “Enabled”. If any or all hosts are not reporting “Enabled” resolve the issues with the “Resolve” action.
- Check VXLAN configuration on the network configuration of the ESXi hosts. Browse to the ESXi host configuration Network tab and check for a VMKernel port configured inside the vxlan TCP/IP stack. If not present, resynchronise the VXLAN configuration from the Installation page in Networking & Security page.
- If the VXLAN configuration cannot be completed, check for enough free IP addresses in the IP Pool used for the VXLAN network.
|VXLAN Resynchronisation||VXLAN Network|
|Host Preparation Status|
VMware Documentation: Create an IP Pool
IP Pools can be used for VXLAN network deployment. When you’re adding new ESXi hosts to a cluster, IP Pools can be an issue getting those new ESXi hosts clusters to partake in the NSX networking.
- Make sure the IP Pool has the proper settings. Network netmask, default gateway and size.
- Check whether the IP Pool has enough IP addresses available.
- If the IP Pool has no IP addresses available for expansion, edit the IP Pool to create a large pool of available IP addresses.