After you associate a VMware Cloud Director instance with an SDDC in VMware Cloud Director service, you might not be able to perform various tasks.

Problem

After you associate a VMware Cloud Director instance to an SDDC by usingVMware Proxy Service, vCenter Server might show as disconnected. When you attempt to refresh or reconnect, this results in a failure with a networking exception, such as SocketTimeoutException.

You cannot open a VM console, or upload and download OVF and OVA files.

You cannot add, edit or delete networking resources, such as network pools, external networks or edge gateways.

When VMware Cloud Director makes API calls to NSX, in the vcd-debug-container.log, you see entries similar to Received Response: 503.

Note: In newer versions of the VMware Cloud Director service proxy client appliance, you can use the diagnose.sh troubleshooting command to diagnose issues with the appliance. See How Do I Troubleshoot the VMware Cloud Director service Proxy Client Appliance. If you attempt to run the diagnose.sh command and that results in an error, follow the troubleshooting instructions that are described below.

Cause

This happens because the VMware Cloud Director instance cannot communicate to either vCenter Server, to ESXi hosts, or to NSX through VMware Proxy Service.

There are two possible reasons for this.

Either the communication between VMware Cloud Director and VMware Proxy Service is unsuccessful, or the communication between VMware Cloud Director and the proxy VM that you deployed during the instance association to the VMware Cloud on AWS SDDC is successful, but the connection between the proxy service and either vCenter Server or NSX fails.

Prerequisites

  1. Locate the VMware Reverse Proxy client VM that you deployed when performing the association between the SDDC and the VMware Cloud Director instance in the resource pool of the vCenter Server UI.
  2. Log in to the OS of the reverse proxy client VM as root.

    You can find the password for the root user by navigating to the VM in the vCenter inventory. On the Configure tab, click Settings > vApp Options. The password is visible under root-password.

    Note: To identfify all existing issues with the VMware Cloud Director instance connection, you must perform all troubleshooting steps that are listed below.

Solution

  1. To verify that the VM has network connectivity, run the transporter-status.sh command.
    If the VM is connected, the command returns the status as UP, and the status of the command_channel_1 and command_channel_2 as CONNECTED.
  2. Verify that the VMware Reverse Proxy client VM has a valid IPv4 address.
    1. Navigate to the VM in the resource pool of the vCenter Server and check if the VM has a valid IPv4 address.
    2. If the VM does not have a valid IPv4 address, choose one of the following.
      • Click the Networks tab and select a network with a valid DHCP profile.
      • Log in to the OS of the VM and manually assign an IPv4 address to it by running the following commands.
        sudo ifconfig ens160 IPv4-address netmask mask
        sudo route add default gw gateway-address ens160
  3. Check the connectivity to the to the URL where the latest images of the VMware Reverse Proxy client VM are stored.
    1. Run a cURL request.
    2. If there is no connection to the URL, check the networking logs and ensure that the VM can communicate with this target.
  4. Check the appliance connectivity to the to the VMware Proxy Service.
    1. From the OS of the VMware Reverse Proxy client VM, run a cURL request to the VMware Proxy Service.
      curl -v <VMware-Proxy-Service-IP-address>
      You can find the VMware Proxy Service IP address in the vApp properties of the VMware Reverse Proxy client VM by navigating to the VM in the vCenter inventory. On the Configure tab, click Settings > vApp Options. The IP address is available under reverse-proxy-host.
      If the appliance is connected to the proxy service, the command returns a result similar to the following.
      Connected to <VMware-Proxy-Service-IP-address> port 80
    2. If there is no connection, check the networking logs and ensure that the appliance VM can communicate with this target.
  5. Verify that there are no firewall rules or any other networking issues that prevent the VMware Reverse Proxy client VM from pinging vCenter Server, NSX, and ESXi.
    If your allowed targets list includes a CIDR notation and you cannot reach one of the hosts in it, verify that you can ping the specific host. If you are successful, add the host IP address or FQDN to the list as a separate entry.
  6. Verify that the VMware Reverse Proxy client VM is using a valid API token.
    You can find the current API token in the vApp properties of the VMware Reverse Proxy client VM in the vCenter inventory, under csp-token.
    1. Run a POST request to https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize with refresh_token={your-api-token-value} in the body of the request.
      For example:
      curl --location --request POST 'https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize' \
      --header 'Accept: application/json' \
      --header 'Content-Type: application/x-www-form-urlencoded' \
      --header 'Cookie: incap_ses_8217_1285679=sJfafQlQfgUmPGK0X6YIckRAaWIAAAAAZ5DsTuKH0eALPsXXCrk1Lw==; nlbi_1285679=qGFfKYa/khghkd06+iiRRwAAAAA7h7npdR2O1o9/MIk2Plre' \
      --data-urlencode 'refresh_token=<your-csp-token>'

      If your API token has expired, the request returns an Invalid Token or a 400 Bad Request error. See How Do I Renew the API Token for the VMware Reverse Proxy client VM.

      If your API token is valid, the request returns a response that contains an access token, for example:
      {
        "id_token": "eyJhbGciOiJS.......srRmGX9eYKOKMA",
        "token_type": "bearer",
        "expires_in": 1799,
        "scope": "ALL_PERMISSIONS openid group_ids group_names",
        "access_token": "eyJhbGciOiJSU.........Q6Y9Yohgw",
        "refresh_token": "B4STbh2fYFmjI9ABCv..............XeRniDiO4cBJjF82sWWprZfm7OLHn"
      }

      The relevant part is access_token, which always begins with "ey", and is a JSON Web Token (JWT).

    2. Copy the access_token paste it to the Encoded section at https://jwt.io/.
    3. Verify that in the payload, context_name contains the organization ID for your VMware Cloud organization, and that the Perms section contains the provider:network role.
      If any of these conditions is not met, renew your API token. See How Do I Renew the API Token for the VMware Reverse Proxy client VM.