VMware Cloud Foundation: Patching Failed
SDDC Manager: Unable To Configure Security Global Config
There are 6 steps to upgrade a VMware Cloud Foundation (VCF) management domain:
- SDDC Manager and VMware Cloud Foundation services.
- VMware Cloud Foundation config drift.
- vRealize Suite Lifecycle Manager, vRealize Suite products, and Workspace ONE Access.
- vCenter Server.
- If you have stretched clusters in your environment, upgrade the vSAN witness host.
- VxRail Manager and ESXi
Reference: VMware Cloud Foundation Upgrade Process
The issue highlighted in this post occurs as part of step 1, specifically, when upgrading SDDC Manager.
This is due to the password expiration on the admin account on the NSX Managers. As a result of the expired password, the password saved on SDDC Manager no longer works against the NSX Managers. Due to repeated failed login attempts via API, the NSX Managers lock out the SDDC Manager login attempts – even with the right credentials. This results in the administrator not being able to remediate the account password in SDDC Manager.
This fix is relatively quick and simple:
1. Connect to each NSX Manager via SSH.
2. Login with admin credentials.
3. Run the following commands on each of the NSX-T Managers:
Repeat this process for the root account if required. Once this process is complete, retry password remediation on SDDC Manager again.
The issue is a result of not maintaining account password validity across SDDC Manager and the various solutions, in this case it was VMware NSX. It would prove beneficial to add password maintenance to your teams BAU task list.
My VCF Troubleshooting guide has a few other tips for administrators.