The NSX Network Detection and Response feature activation wizard reports an error while performing the precheck step.

Problem

The NSX Network Detection and Response activation wizard performs prechecks to verify the connectivity between the NSX Advanced Threat Prevention cloud service and the Kubernetes cluster running the NSX Application Platform. Any errors encountered are displayed on the NSX Network Detection and Response activation wizard. If the activation wizard reports an error during the precheck step, the NSX Network Detection and Response feature activation becomes blocked and the Activate button remains dimmed.

Following are some of several errors you might encounter if the activation precheck failed.
  • Cloud regions APIs returned invalid data (missing or invalid data).
  • Contacting cloud API for validating the NSX license failed
  • The NSX Installation does not have the required license.

Cause

The precheck step validates the connectivity from the Kubernetes cluster running the NSX Application Platform to the NSX Advanced Threat Prevention cloud region that you selected. The precheck step also validates the available NSX Data Center licenses you are entitled to use for the NSX Network Detection and Response feature. If the connectivity precheck fails, the deployment wizard cannot validate the license eligibility.

Solution

  1. If your NSX Manager appliance is configured to use a web proxy for Internet-bound connections, ensure that the web proxy is configured correctly and is reachable from the workloads running in the Kubernetes cluster used for NSX Application Platform.
  2. Ensure that NSX Application Platform is deployed correctly and is reported as STABLE on the Systems > NSX Application Platform UI page.
  3. The deployment precheck can take up to 30 minutes to deploy and validate NSX Advanced Threat Prevention cloud reachability and NSX Data Center license eligibility. Wait for the precheck items to complete and verify the outcome for each row.
    1. For any item marked as Failed, point to the icon to view details.
    2. Ensure the license requirements stated as part of a failure are satisfied.
    3. If the error indicates connectivity errors, ensure that the NSX Application Platform can communicate with the Internet.
  4. If the precheck failure does not provide information about the failure, gather additional information.
    1. Collect an NSX Application Platform support bundle and inspect the logs for any Kubernetes pod with the name starting with nsx-ndr-precheck.
    2. Alternatively, the logs can also be queried interactively on the NSX Manager appliance using the following steps.
      1. Log in to the NSX Manager appliance as root.
      2. Use the following command to mark the Kubernetes configuration for any subsequent helm and kubectl invocations.
        export KUBECONFIG=/config/vmware/napps/.kube/config
      3. Using the following command, ensure that the NSX Network Detection and Response precheck helm chart was deployed successfully. 
        helm --namespace nsxi-platform list --all --filter 'nsx-ndr-precheck'
        Verify that the STATUS property displays deployed.
      4. Using the following command, inspect the events for any precheck pods that have been deployed.
        kubectl --namespace nsxi-platform describe pod --selector='app.kubernetes.io/instance=nsx-ndr-precheck'
        The Events section provides status of the precheck jobs and any actions associated with those jobs.
      5. To inspect the logs for any precheck pods that have been deployed, use the following command.
        kubectl --namespace nsxi-platform get pods --selector='app.kubernetes.io/instance=nsx-ndr-precheck' -o wide
        For each pod listed in RUNNING or COMPLETED state, view the logs using the following command.
        kubectl --namespace nsxi-platform logs --container=main <pod-name>
  5. After resolving the reported errors, try activating the NSX Network Detection and Response feature again.