While installing vCloud Director 5.1 in my home lab, I have faced an odd problem while configuring vCloud Networking and Security 5.1.1 for VXLANs. If you follow VMware Configuration guides for VXLAN or any of the many articles on configuring vCloud Director/vCloud Networking & Security 5.1.1 for VXLAN, it will always mention that as soon you complete the configuration vCloud Networking & Security 5.1.1 will automatically create a dvPort Group that has a name of the format vxw-vmknicPg-dvs-xx-xx-xx-xx, as well a vmknic interface. Few samples of such instructions can be found at:
In my lab I was facing the odd case of the dvPort Group being created, but no vmknic interface what so ever being created. After investigating the situation & a bit of internal research I have discovered that this is due to vCloud Networking and Security 5.1.1 depending on VMware Update Manager to push the VIB to each host to configure it for VXLAN, where in some cases VUM has proved problematic pushing these or a flaky VUM installation could cause such a problem. The good news is that vCloud Networking & Security 5.1.2a has just been released and handle pushing these VIBs differently and does not depend on VUM to do it eliminating all the trouble You can get the new vCloud Networking & Security 5.1.2a at: https://my.vmware.com/group/vmware/info?slug=security_products/vmware_vcloud_networking_and_security/5_1.
If you have upgraded your vCloud Networking & Security to 5.1.2a and that did not fix the problem, then try to follow the below steps which seems to fix the problem in most scenarios:
- Remove the original VXLAN configuration from vCNS.
- Restart the vCNS web service
manager# configure terminal
manager(config)# no web-manager
- Re-Add vCenter to vCNS
- Add the VXLAN Configuration again.
This should hopefully get you up and running and now your VXLAN should be green in your vCloud Networking & Security Manager as per the below screenshot from my lab:
If you have upgraded to 5.1.2a and followed the above steps, & got to face a problem with pushing the VXLAN agent to the your ESXi hosts then my following post should be of great help to you: VIB module for agent is not installed on host (vShield-VXLAN-service)
For those who want to find out more about what other bugs have been fixed with vCloud Networking & Security 5.1.2a, you can check vCNS 5.1.2a release notes at: http://wwwcontentdev.vmware.com:9998/support/vshield/doc/releasenotes_vshield_512a.html , where I have include a copy of the release note below for your convenience.
What’s in the Release Notes
The release notes cover the following topics:
The vCloud Networking and Security 5.1.2a patch release fixes an issue where vShield Manager needs to be restarted frequently.
System Requirements and Installation
For information about system requirements and installation instructions, see the vShield Installation and Upgrade Guide.
The following known issues have been discovered through rigorous testing and will help you understand some behavior you might encounter in this release.
The known issues are grouped as follows:
vShield Manager upgrade fails with an error
When vShield Manager has been upgraded from 4.1 to 5.0 to 5.1, vShield Manager fails to connect to the vCenter Server and the UI displays an Internal Server Error.
Workaround: Re-enter the vCenter Server credentials. If connectivity is not restored, reboot the vShield Manager.
vShield Manager fills the /common directory very fast
vShield Manager filled 20% of the /common directory in 30 minutes.
Workaround: If DRS is enabled, you must add at least two hosts from the same cluster in a dvSwitch.
If the vCenter Server becomes unavailable during the vShield App upgrade process, the upgrade fails and the Update link is not available
See Update link not available during vShield App upgrade.
Additional steps to install SSL VPN client on Mountain Lion
Cannot install the SSL VPN client on the Mountain Lion operating system.
Workaround: Mountain Lion does not allow you to install the SSL VPN client since it is unsigned. CONTROL-click on the installer to proceed.
Cannot configure different certificates for two different features
Cannot configure different certificates for two different features. For example, you cannot use certificate a for IPsec and certificate b for SSL VPN.
Workaround: Use the same certificate for both features and then change the certificate for one of the features.
The following issue has been resolved in the 5.1.2a patch release.
- vShield Manager needs to be restarted
- vShield Manager becomes unresponsive and needs to be restarted.