What am I trying to do? As per the diagram above, OPNsense is the gateway and firewall that allows all internal networks to talk to the internet. I have few logical L2 networks configured in NSX and I want them to talk to the internet and physical networks (vlan 20, vlan 30) connected to OPNsense. Routing information will be exchanged between NSX and OPNsense using BGP. BFD will be used to detect any faults between NSX and OPNsense....
To enable zero trust for the Supervisor Cluster and the guest cluster, you need to first define a default deny-all rule in the NSX-T distributed firewall. You can then allow the required ports as per https://ports.esp.vmware.com/home/vSphere-7 (Filter with the keyword “Tanzu “) The problem? vSphere with Tanzu expects to have a default allow-all rule. Specifically for egress (Source is Master VM Subnet and Destination is the whole cluster CIDR block) After enabling zero trust, the default deny-all rule blocks both ingress and egress traffic....
Creating a Tanzu Kubernetes Cluster fails. In vCenter server, the resource pool gets created under the namespace resource pool. However, the control/worker vms do not get created. The OVF deployment starts but fails and is in a constant loop with the error, “Failed to deploy OVF package” Looking at the vpxd logs in vCenter Server, the error was: info vpxd[63733] [Originator@6876 sub=Default opID=62236dfd] [VpxLRO] -- ERROR lro-43350730 -- task-637327 -- vim....
If you run into any issue where the config status is stuck in “configuring” state, one of the first things to check is the wcpsvc logs on the vCenter appliance here: /var/log/vmware/wcp/wcpsvc.log Interestingly I ran into an issue where the logs were complaining about authorization. You probably will see the following events in a loop: 2021-05-30T11:48:11.077Z error wcp [kubelifecycle/spherelet.go:923] [opID=domain-c8-host-28] **Failed to get Kubernetes cluster node list: Unauthorized** 2021-05-30T11:48:11.078Z error wcp [kubelifecycle/node\_controller....
I ran into the same issue as described by Eric Sloof: https://www.ntpro.nl/blog/archives/3570-Edge-Tunnels-Down-when-hosting-NSX-T-on-the-same-DVS.html The problem I had was i did not have enough uplinks to create a new dvSwitch to get the tunnel to work. For the tunnel to work, the geneve traffic has to leave the host and get routed back in. I had a layer 3 physical switch and decided to make use of inter-vlan routing. Once logged into the switch:...