VMware NSX

Hello everyone,

I am trying to set up Tanzu and have just deployed an NSX ALB cluster. 
During deployment of the workload management supervisor the SE setup fails.

There are two errors:
In Application -> Dashboard -> Virtual services:
Description: Modify network(s) failed on Service Engine Avi-se-lppjs. Reason SEVM_CREATE_ACCESS_ERROR
Reason: SEVM_CREATE_ACCESS_ERROR

In Infrastructure -> Dashboard -> Service Engine
Description: vNIC addition failure
error_string: Invalid configuration for device '0'.

I have given NSX ALB controller a service account in vsphere.local and the rights is set up like this:
https://avinetworks.com/docs/latest/roles-and-permissions-for-vcenter-nsx-t-users/
https://docs.vmware.com/en/VMware-NSX-Advanced-Load-Balancer/21.1.4/Installation_Guide/GUID-80C56CC5-2ED5-4D40-80FF-46E64343C953.html
https://docs.vmware.com/en/VMware-NSX-Advanced-Load-Balancer/21.1.4/Installation_Guide/GUID-80C56CC5-2ED5-4D40-80FF-46E64343C953.html
https://docs.vmware.com/en/VMware-NSX-Advanced-Load-Balancer/21.1.4/Installation_Guide/GUID-7B7C6F73-BFDB-4FF4-B75F-019791D26177.html

All examples I have seen just uses the administrator@vsphere.local but links to various pages setting the same rights as described in the links. 

What are the correct settings? Or are the error messages a sign of something else being wrong?

Regards Helge

Can you utilise following link on this setup please:

https://avinetworks.com/docs/22.1/vmware-user-role/

And try to create appropriate roles first, and after that try assigning your Avi-vCenter integration user this role.

I suppose you're setting up vSphere cloud in Write_Access mode.

BR,

Dragan

That link specifies the same roles and rights as I have already set. 

I also recreated the AviSeFolder and set the permissions on in again. 

When I redeployed the supervisor the same thing happens

I see your point. Did you try with administrator@vsphere.local for workload supervisor setup? Just to confirm this issue is permission/role related.

And I suppose you're following some of official VMware docs on this subject like this PoC for example https://core.vmware.com/resource/tanzu-proof-concept-guide#

BR,

Dragan

I am unable to change the credentials used for vcenter in the Default-cloud config. When I change the username and password, and test the connection, I get no error messages, but the Save button at the bottom changes from green to gray.

As a workaround I changed the role on the ALB user in vsphere to admin.
I am redeploying the supervisor now so I will probably get some results in a few minutes

Changing the user role did not help. 

The errors are still CC_VNIC_ADDITION_FAILURE and MODIFY_FAIL.
Are there any logs that may shed some light on the specifics of the failing operation?

Which Avi version you're using for this test, and vSphere? Can you completely remove Default-Cloud config and redeploy it?

Regarding logs I would suggest checking them on vCenter side which can be done through GUI, and also on Avi side logs per this instructions https://avinetworks.com/docs/22.1/collecting-tech-support-logs/

BR,

Dragan

We are using NSX ALB 22.1.2 build 9086
Vcenter is 8.0.0 

But I just checked for newer versions on vmware and there is a new versjon, 22.1.3 where the release notes states it supports vcenter 8. So 22.1.2 might have had some problems with our vcenter. 

Yes - per VMW official interoperability matrix you should go with 22.1.3:

I just updated the install to 22.1.3.

I was hoping the problems I had was just caused by my own stupidity here, but the same errors keeps popping up. 

Same behaviour with 22.1.3 regarding default cloud modification? And also with administrator@vsphere.local user?

Same errors this time. 

Since I could not change the user in ALB I changed the role in .local to administrator. 

But the error message "Invalid configuration for device '0'." on the Event Code CC_VNIC_ADDITION_FAILURE makes me think that it may not be an access error as the other event logs state, but something else. 

I had this exact error recently building out TKGS in a home lab. I made a few changes to try and resolve.

One of the changes I made was to delete and re-create the DPG that I was using for the service engines frontend network. I remembered I was previously using a DPG that was imported and restored from a backup from another VCSA. 

Now it is working, I can see the step that it was failing on was when it reconfigures one of the NICs to change its portgroup for the frontend network I had setup, so I suspect it may have been DPG related.

Another change I made was to the default service engine group. I specified an esxi host to create the SEs on and migrated the controller and the content library for the service engine image to that same esxi host. This was more to address a latency issue on my lab network. I don't think this was the fix, but worth mentioning in case you are also spinning this up in a slow home lab.

I ended up removing the controllers altogether and redeploying. 

The creation of SE works as expexted now.

Glad it's working  

It can be difficult sometimes to dig through logs, and just instead of that re-deploy whole setup... experienced that on my own multiple times 

BR

Hi Helge
Can  SE access to  NSX ALB Controller Cluster ?

If you register controller using hostname, SE need to resolve ip address for ALB Cluster from DNS.

Best regards

---

 wrote:

Can  SE access to  NSX ALB Controller Cluster ?
If you register controller using hostname, SE need to resolve ip address for ALB Cluster from DNS.

Since the errors I get are related to access I don't think this is the problem.