After an NSX-T Local Manager is imported to an NSX-T Global Manager, if you reset the admin password of the NSX-T Local Manager, the admin account gets locked out. As a result the connectivity between the NSX-T Global Manager cluster and the NSX-T Local Manager cluster fails with general system error. The NSX-T Global Manager nodes in both regions must be added to an allowlist of trusted nodes for the NSX-T Local Manager cluster to avoid lockdown.

Procedure

  1. Log in to the host that has access to your data center.
  2. Update the allowlist of trusted sources on the NSX-T Local Manager appliance by using the Postman PUT method.

    You add the IP addresses of the NSX-T Global Manager cluster to the lockout_immune_addresses list of the NSX-T Local Manager cluster.

    1. Start the Postman application in your Web browser and log in.
    2. On the Authorization tab, enter the following settings and click Update request.

      Setting

      Value

      Type

      Basic Auth

      User name

      admin

      Password

      nsx_t_admin_password

    3. On the Headers tab, add a key by using the following details.

      Setting

      Value

      Key

      Content-Type

      Key Value

      application/json

    4. In the request pane at the top, send the following HTTP request.

      Setting

      Value

      HTTP request method

      PUT

      URL

      https://sfo-w01-nsx01.sfo.rainpole.io/api/v1/cluster/api-service

      Body

       { "global_api_concurrency_limit": 199, "client_api_rate_limit": 100, "client_api_concurrency_limit": 40, "connection_timeout": 30, "redirect_host": "", "cipher_suites": [ {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}, {"enabled": true, "name": "TLS_RSA_WITH_AES_256_GCM_SHA384"}, {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}, {"enabled": true, "name": "TLS_RSA_WITH_AES_128_GCM_SHA256"} {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384}", {"enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA256"}, {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"}, {"enabled": true, "name": "TLS_RSA_WITH_AES_256_CBC_SHA"}, {"enabled": true, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}, {"enabled": true, "name": "TLS_RSA_WITH_AES_128_CBC_SHA256"}, {"enabled": false, "name": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}, {"enabled": false, "name": "TLS_RSA_WITH_AES_128_CBC_SHA"} ], "protocol_versions": [ {"enabled": true, "name": "TLSv1.1"}, {"enabled": false, "name": "TLSv1.2"} ] , “lockout_immune_addresses”:[ "172.16.11.95", "172.16.11.96", "172.16.11.97", "172.16.11.98",
      "172.17.11.95",
      "172.17.11.96",
      "172.17.11.97",
      "172.17.11.98"] }

      After the NSX-T Local Manager sends a response back, on the Body tab, you see a 202 Accepted status.