A connection between the NSX Manager and the vCenter Server allows NSX Manager to use the vSphere API to perform functions such as deploy service VMs, prepare hosts, and create logical switch port groups. The connection process installs a web client plug-in for NSX on the Web Client Server.

For the connection to work, you must have DNS and NTP configured on NSX Manager, vCenter Server and the ESXi hosts. If you added ESXi hosts by name to the vSphere inventory, ensure that DNS servers have been configured on the NSX Manager and name resolution is working. Otherwise, NSX Manager cannot resolve the IP addresses. The NTP server must be specified so that the SSO server time and NSX Manager time are in sync. On NSX Manager, the drift file at /etc/ntp.drift is included in the tech Support bundle for NSX Manager.

The account you use to connect NSX Manager to vCenter Server must have the vCenter role "Administrator." Having the "Administrator" role enables NSX Manager to register itself with the Security Token Service server. When a particular user account is used to connect NSX Manager to vCenter, an “Enterprise Administrator" role for the user is also created on NSX Manager.

Common Issues Related to Connecting NSX Manager to vCenter Server

  • DNS incorrectly configured on NSX Manager, vCenter Server, or an ESXi host.

  • NTP incorrectly configured on NSX Manager, vCenter Server, or an ESXi host.

  • User account without vCenter role of Administrator used to connect NSX Manager to vCenter.

  • Network connectivity issues between NSX Manager and vCenter server.

  • User logging into vCenter with an account that does not have a role on NSX Manager.

You need to initially log into vCenter with the account you used to link NSX Manager to vCenter Server. Then you can create additional users with roles on NSX Manager using theHome > Networking & Security > NSX Managers > {IP of NSX Manager} > Manage > Users.

The first login can take up to 4 minutes while vCenter loads and deploys NSX UI bundles.

Verify Connectivity from NSX Manager to vCenter Server

  • Log in to the NSX Manager CLI console.

  • To verify connectivity, view the ARP and routing tables.

nsxmgr# show arp
IP address       HW type     Flags     HW address            Mask     Device
192.168.110.31   0x1         0x2       00:50:56:ae:ab:01     *        mgmt
192.168.110.2    0x1         0x2       00:50:56:01:20:a5     *        mgmt
192.168.110.1    0x1         0x2       00:50:56:01:20:a5     *        mgmt
192.168.110.33   0x1         0x2       00:50:56:ae:4f:7c     *        mgmt
192.168.110.32   0x1         0x2       00:50:56:ae:50:bf     *        mgmt
192.168.110.10   0x1         0x2       00:50:56:03:19:4e     *        mgmt
192.168.110.51   0x1         0x2       00:50:56:03:30:2a     *        mgmt
192.168.110.22   0x1         0x2       00:50:56:01:21:f9     *        mgmt
192.168.110.55   0x1         0x2       00:50:56:01:23:21     *        mgmt
192.168.110.26   0x1         0x2       00:50:56:01:21:ef     *        mgmt
192.168.110.54   0x1         0x2       00:50:56:01:22:ef     *        mgmt
192.168.110.52   0x1         0x2       00:50:56:03:30:16     *        mgmt

nsxmgr# show ip route
Codes: K - kernel route, C - connected, S - static,
       > - selected route, * - FIB route

S>* 0.0.0.0/0 [1/0] via 192.168.110.1, mgmt
C>* 192.168.110.0/24 is directly connected, mgmt

  • Look for errors in the NSX Manager log to indicate the reason for not connecting to vCenter Server. The command to view the log is show log manager follow.

  • Run the command: debug connection IP_of_ESXi_or_VC, and examine the output.

Perform Packet Capture on NSX Manager to View Connections

Use the debug packet command: debug packet [capture|display] interface interface filter

The interface name on NSX Manager is mgmt.

The filter syntax follows this form: "port_80_or_port_443"

The command runs in privileged mode only. To enter privileged mode, run the enable command and provide the admin password.

Packet capture example:

nsxmgr# en
nsxmgr# debug packet display interface mgmt port_80_or_port_443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on mgmt, link-type EN10MB (Ethernet), capture size 262144 bytes
23:40:25.321085 IP 192.168.210.15.54688 > 192.168.210.22.443: Flags [P.], seq 2645022162:2645022199, ack 2668322748, win 244, options [nop,nop,TS val 1447550948 ecr 365097421], length 37
...

Verify Network Configuration on NSX Manager

The show running-config command shows the basic configuration of the management interface, NTP, and default route settings.

nsxmgr# show running-config
Building configuration...

Current configuration:
!
ntp server 192.168.110.1
!
ip name server 192.168.110.10
!
hostname nsxmgr
!
interface mgmt
 ip address 192.168.110.15/24
!
ip route 0.0.0.0/0 192.168.110.1
!
web-manager

NSX Manager Certificates

NSX Manager supports two ways to generate certificates.

  • NSX Manager generated CSR: Limited functionality due to basic CSR

  • PKCS#12: This is recommended for production

There is a known issue in which the CMS silently fails to make API calls.

This happens when the certificate issuer is not known to the caller because it is an untrusted root certificate authority or the certificate is self-signed. To resolve this issue, use a browser to navigate to the NSX Manager IP address or hostname and accept the certificate.