VMware NSX-T Data Center: Install, Configure, Manage [V3.0]

I've done all the pings and got responses OK, I've waited well over 5 minutes, during which time i've checked everything I've done, no results, all the labs before this have worked fine.

Any ideas where I can start to troubleshoot the issue?

Thx, Andy.

Hi Andy,

did you make sure that you also selected DNS for the context profile on the L7 rule (as attached)? I accidentally created mine the first time around with DNS and DNS UDP in the services but I left the profiles blank and I didn't get any analysis but when I realised my error and updated the profile, then everything worked as expected.

Mark

I had the same issue with two students, they have forgotten to configure DNS in Profiles after some investigation I also encountered some internal errors in the firewall.

I've attached some screenshots with the error on the redirection rule and the default rule,

I think I have uncovered a temporary work around.  I am attaching a screen shot to show the failure that eventually happens.  The thing that happens when configuring the firewall rule, the status moves from unknown, to Success, to Failed.

This is how I finally got it work work:

1. Before the students configure the firewall rule in task 6, have then configure the VM in task 7 and then have them perform the pings
2. Configure the firewall rule and then have student refresh the screen until it says success.
3. immediately perform the pings.  If you wait until the rule fails, no analysis is shown.

• Just up arrow enter
• up arrows and next ping
• etc.

I have not thoroughly tested this but I did get it to work once.

We still have the issue of the Default firewall having a failed state

Long term this still needs to be fixed.

Could not get this working at all.

I've tried the suggestions.

The URL policy never shows as success only in progress, unknown and Failed.

Yes I did select the DNS profile.

Same problem here, no results. 

Hi All 

Does anyone happen to know why the version of the url analysis doesn't show up on the URL analysis page ?

Please see attached pic .

A student lab is exhibiting the same behavior as the issues listed in this thread. 

I'd appreciate any help.

Thank you 

Den

I have the exact same issue.  I have run previous classes and this lab worked, but this week.  Not one student got this to work and I evened tried it..  No success.  Version says 0.0.0

Any thoughts on this???

If you are running this on a non-vmware lab make sure they have internet connectivity.

I had this the other week on a HPE class and I noticed in the DNS records that they had put in fake entries for the pingable addresses so that they would ping the address successfully but would not connect externally as it was blocked and the version was also 0.0.0.0 which normally is related to the port or traffic not being allowed for URL analysis connection to the cloud service for each NSX Edge Node

Thanks for the reply..

Unfortunately I am using the VMware Lab environment..  Use to work, but now, doesn;t seem to..

I am using the VLP this week, and even tried it on a PREP system.  No luck..

Have a good one.

The whole thing is quite interesting...

The edges have to download the webroot db, and do so via an API connecting to https://api.nsx-sec-prod.com, which is behind cloudfront, it seems.

The certificate validation fails from the kits, but it worked fine from my place... ???

After some time digging where the problem was, it is somehow related to wrong certs being presented by SOME cloudfront servers. While someone actually fixes this, a quick hack is to point api.nsx-sec-prod.com to a working proxy server, like 52.71.127.103.

Edit /etc/hosts and add:
  52.71.127.103 api.nsx-sec-prod.com
on each edge.

Check it is working by "curl https://api.nsx-sec-prod.com". Reboot the edge.

There is a current issue with URL analysts in the current ICM lab.  As TronAr pointed out, it’s a certificate-related issue, and our engineering team has been engaged to resolve.  

Interestingly, this issue only currently affects the ICM vApp, which is running NSX-T 3.0.  The Intrinsic Security course includes essentially the same lab, but is running NSX-T 3.1.  The Intrinsic Security lab is not affected by this issue.

That’s an interesting workaround, editing the hosts file to avoid misbehaving endpoints.  It’s more work than I want to do in a class, but it’s great for being able to demo

DNS is clearly choosing the servers, so changing the edge DNS servers might be an easier fix...

Apparently, the issue has been resolved.

It has been about a year.  Has this been fixed?  Just wondering.  I assume that it is not so I am using this approach with my classes.

It was informed as fixed, some servers had expired certs...

Does that mean it is fixed or the certs are still an issue?

 It's fixed and working 100%

Hope that helps you.

Dennis

The issue still exist and appears randomly...

Hi All 

I'm currently running a class and I'm happy to report this issue now seems fixed in the class lab. All working perfectly again.

Thank you kindly 

Dennis