A connection between the NSX Manager and the vCenter Server allows NSX Manager to use the vSphere API to perform functions such as deploy service VMs, prepare hosts, and create logical switch port groups. The connection process installs a web client plug-in for NSX on the Web Client Server.
For the connection to work, you must have DNS and NTP configured on NSX Manager, vCenter Server and the ESXi hosts. If you added ESXi hosts by name to the vSphere inventory, ensure that DNS servers have been configured on the NSX Manager and name resolution is working. Otherwise, NSX Manager cannot resolve the IP addresses. The NTP server must be specified so that the SSO server time and NSX Manager time are in sync. On NSX Manager, the drift file at /etc/ntp.drift is included in the tech Support bundle for NSX Manager.
The account you use to connect NSX Manager to vCenter Server must have the vCenter role "Administrator." Having the "Administrator" role enables NSX Manager to register itself with the Security Token Service server. When a particular user account is used to connect NSX Manager to vCenter, an “Enterprise Administrator" role for the user is also created on NSX Manager.
Common Issues Related to Connecting NSX Manager to vCenter Server
DNS incorrectly configured on NSX Manager, vCenter Server, or an ESXi host.
NTP incorrectly configured on NSX Manager, vCenter Server, or an ESXi host.
User account without vCenter role of Administrator used to connect NSX Manager to vCenter.
Network connectivity issues between NSX Manager and vCenter server.
User logging into vCenter with an account that does not have a role on NSX Manager.
You need to initially log into vCenter with the account you used to link NSX Manager to vCenter Server. Then you can create additional users with roles on NSX Manager by navigating to the tab.
The first login can take up to 4 minutes while vCenter loads and deploys NSX UI bundles.
Verify Connectivity from NSX Manager to vCenter Server
Log in to the NSX Manager CLI console.
To verify connectivity, view the ARP and routing tables.
nsxmgr# show arp IP address HW type Flags HW address Mask Device 192.168.110.31 0x1 0x2 00:50:56:ae:ab:01 * mgmt 192.168.110.2 0x1 0x2 00:50:56:01:20:a5 * mgmt 192.168.110.1 0x1 0x2 00:50:56:01:20:a5 * mgmt 192.168.110.33 0x1 0x2 00:50:56:ae:4f:7c * mgmt 192.168.110.32 0x1 0x2 00:50:56:ae:50:bf * mgmt 192.168.110.10 0x1 0x2 00:50:56:03:19:4e * mgmt 192.168.110.51 0x1 0x2 00:50:56:03:30:2a * mgmt 192.168.110.22 0x1 0x2 00:50:56:01:21:f9 * mgmt 192.168.110.55 0x1 0x2 00:50:56:01:23:21 * mgmt 192.168.110.26 0x1 0x2 00:50:56:01:21:ef * mgmt 192.168.110.54 0x1 0x2 00:50:56:01:22:ef * mgmt 192.168.110.52 0x1 0x2 00:50:56:03:30:16 * mgmt
nsxmgr# show ip route Codes: K - kernel route, C - connected, S - static, > - selected route, * - FIB route S>* 0.0.0.0/0 [1/0] via 192.168.110.1, mgmt C>* 192.168.110.0/24 is directly connected, mgmt
Look for errors in the NSX Manager log to indicate the reason for not connecting to vCenter Server. The command to view the log is show log manager follow.
Run the command: debug connection IP_of_ESXi_or_VC, and examine the output.
Perform Packet Capture on NSX Manager to View Connections
Use the debug packet command: debug packet [capture|display] interface interface filter
The interface name on NSX Manager is mgmt.
The filter syntax follows this form: "port_80_or_port_443"
The command runs in privileged mode only. To enter privileged mode, run the enable command and provide the admin password.
Packet capture example:
nsxmgr# en nsxmgr# debug packet display interface mgmt port_80_or_port_443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on mgmt, link-type EN10MB (Ethernet), capture size 262144 bytes 23:40:25.321085 IP 192.168.210.15.54688 > 192.168.210.22.443: Flags [P.], seq 2645022162:2645022199, ack 2668322748, win 244, options [nop,nop,TS val 1447550948 ecr 365097421], length 37 ...
Verify Network Configuration on NSX Manager
The show running-config command shows the basic configuration of the management interface, NTP, and default route settings.
nsxmgr# show running-config Building configuration... Current configuration: ! ntp server 192.168.110.1 ! ip name server 192.168.110.10 ! hostname nsxmgr ! interface mgmt ip address 192.168.110.15/24 ! ip route 0.0.0.0/0 192.168.110.1 ! web-manager
NSX Manager Certificates
NSX Manager supports two ways to generate certificates.
NSX Manager generated CSR: Limited functionality due to basic CSR
PKCS#12: This is recommended for production
There is a known issue in which the CMS silently fails to make API calls.
This happens when the certificate issuer is not known to the caller because it is an untrusted root certificate authority or the certificate is self-signed. To resolve this issue, use a browser to navigate to the NSX Manager IP address or hostname and accept the certificate.