After you associate a VMware Cloud Director instance with an SDDC in VMware Cloud Director service, you might not be able to perform various tasks.
Problem
After you associate a VMware Cloud Director instance to an SDDC by usingVMware Proxy Service, vCenter Server might show as disconnected. When you attempt to refresh or reconnect, this results in a failure with a networking exception, such as SocketTimeoutException
.
You cannot open a VM console, or upload and download OVF and OVA files.
You cannot add, edit or delete networking resources, such as network pools, external networks or edge gateways.
When VMware Cloud Director makes API calls to NSX, in the vcd-debug-container.log, you see entries similar to Received Response: 503
.
Note: In newer versions of the
VMware Cloud Director service proxy client appliance, you can use the
diagnose.sh
troubleshooting command to diagnose issues with the appliance. See
How Do I Troubleshoot the VMware Cloud Director service Proxy Client Appliance. If you attempt to run the
diagnose.sh
command and that results in an error, follow the troubleshooting instructions that are described below.
Cause
This happens because the VMware Cloud Director instance cannot communicate to either vCenter Server, to ESXi hosts, or to NSX through VMware Proxy Service.
There are two possible reasons for this.
Either the communication between VMware Cloud Director and VMware Proxy Service is unsuccessful, or the communication between VMware Cloud Director and the proxy VM that you deployed during the instance association to the VMware Cloud on AWS SDDC is successful, but the connection between the proxy service and either vCenter Server or NSX fails.
Prerequisites
- Locate the VMware Reverse Proxy client VM that you deployed when performing the association between the SDDC and the VMware Cloud Director instance in the resource pool of the vCenter Server UI.
- Log in to the OS of the reverse proxy client VM as root.
You can find the password for the root user by navigating to the VM in the vCenter inventory. On the Configure tab, click . The password is visible under root-password
.
Note: To identfify all existing issues with the
VMware Cloud Director instance connection, you must perform all troubleshooting steps that are listed below.
Solution
- To verify that the VM has network connectivity, run the
transporter-status.sh
command.
If the VM is connected, the command returns the status as
UP
, and the status of the
command_channel_1
and
command_channel_2
as
CONNECTED
.
- Verify that the VMware Reverse Proxy client VM has a valid IPv4 address.
- Navigate to the VM in the resource pool of the vCenter Server and check if the VM has a valid IPv4 address.
- If the VM does not have a valid IPv4 address, choose one of the following.
- Check the connectivity to the to the URL where the latest images of the VMware Reverse Proxy client VM are stored.
- Run a cURL request.
- If there is no connection to the URL, check the networking logs and ensure that the VM can communicate with this target.
- Check the appliance connectivity to the to the VMware Proxy Service.
- From the OS of the VMware Reverse Proxy client VM, run a cURL request to the VMware Proxy Service.
curl -v <VMware-Proxy-Service-IP-address>
You can find the VMware Proxy Service IP address in the vApp properties of the VMware Reverse Proxy client VM by navigating to the VM in the
vCenter inventory. On the
Configure tab, click
. The IP address is available under
reverse-proxy-host
.
If the appliance is connected to the proxy service, the command returns a result similar to the following.
Connected to <VMware-Proxy-Service-IP-address> port 80
- If there is no connection, check the networking logs and ensure that the appliance VM can communicate with this target.
- Verify that there are no firewall rules or any other networking issues that prevent the VMware Reverse Proxy client VM from pinging vCenter Server, NSX, and ESXi.
If your allowed targets list includes a CIDR notation and you cannot reach one of the hosts in it, verify that you can ping the specific host. If you are successful, add the host IP address or FQDN to the list as a separate entry.
- Verify that the VMware Reverse Proxy client VM is using a valid API token.
You can find the current API token in the vApp properties of the VMware Reverse Proxy client VM in the
vCenter inventory, under
csp-token
.
- Run a POST request to https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize with
refresh_token={your-api-token-value}
in the body of the request.
For example:
curl --location --request POST 'https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: incap_ses_8217_1285679=sJfafQlQfgUmPGK0X6YIckRAaWIAAAAAZ5DsTuKH0eALPsXXCrk1Lw==; nlbi_1285679=qGFfKYa/khghkd06+iiRRwAAAAA7h7npdR2O1o9/MIk2Plre' \
--data-urlencode 'refresh_token=<your-csp-token>'
If your API token has expired, the request returns an Invalid Token
or a 400 Bad Request
error. See How Do I Renew the API Token for the VMware Reverse Proxy client VM.
If your API token is valid, the request returns a response that contains an access token, for example:
{
"id_token": "eyJhbGciOiJS.......srRmGX9eYKOKMA",
"token_type": "bearer",
"expires_in": 1799,
"scope": "ALL_PERMISSIONS openid group_ids group_names",
"access_token": "eyJhbGciOiJSU.........Q6Y9Yohgw",
"refresh_token": "B4STbh2fYFmjI9ABCv..............XeRniDiO4cBJjF82sWWprZfm7OLHn"
}
The relevant part is access_token
, which always begins with "ey"
, and is a JSON Web Token (JWT).
- Copy the
access_token
paste it to the Encoded section at https://jwt.io/.
- Verify that in the payload,
context_name
contains the organization ID for your VMware Cloud organization, and that the Perms
section contains the provider:network role.