NSX-T Migration Coordinator Troubleshooting Guide – Chapter 1

We will keep it short and direct to the point. You are here because you have intentions to use NSX-T migration coordinator for your NSX-V to NSX-T migration project for a smooth and easy migration. Or at least that is what we all expect right?

Guess what. There are many reasons migration coordinator service can return an error, and the UI often lacks details of the problem. To identify the root cause, you need to deep dive into the logs, and we know it’s time-consuming!

This post will focus on documenting errors we are seeing to help you workaround and progress with the migration.

So let’s get started!!
From NSX-V to NSX-T and beyond!! 😀

List of errors

We will try to keep this updated frequently as much as possible. Do not hesitate to contact us for support or post your question in the NSX community.

Note: 
We treat this as 'possible cause' and 'possible workaround' just for the sake of managing the expectation. Maybe your error message is the same or similar but the workaround does not resolve your issue.
Why? The UI can be a bit generic sometimes in the error message without giving much indication of what is the issue. Getting support is highly recommended to work on your specific case. 
Sharing log bundles online is uncommon for security and privacy reasons but much needed to understand the error symptoms. 
For support raise a support case with VMware, get help from VMware communities or contact us.

Config migration failed [Reason: HTTP Error: 400: Some error has occurred. for url: http://localhost:6440/policy/api/v1/infra/certificates/certificate-14]

During the migrate configuration phase you get error “Config migration failed [Reason: HTTP Error: 400: Some error has occurred. for url: http://localhost:6440/policy/api/v1/infra/certificates/certificate-id]“

Our experience with this issue is related to NSX-V Manager having old vCenter PSC certificates leftover in the certificate truststore. This error can be generated by any certificate.

Removing the certificate from the truststore resolves the error. For this we used API calls to get the certificate and then delete.

# Get the certificate causing error and validate is safe to remove
GET /api/2.0/services/truststore/certificate/{certificateId}

# Delete the certificate from the truststore
DELETE /api/2.0/services/truststore/certificate/{certificateId}

Config migration failed [Reason: HTTP Error: 400: IPFIX L2 collector with ip:port 10.11.12.13:1234 already exists. for url: http://localhost:6440/policy/api/v1/infra/ipfix-l2-collector-profiles/ipfix_l2_collector_profile_2]

During the migrate configuration phase you get error “Config migration failed [Reason: HTTP Error: 400: IPFIX L2 collector with ip:port 10.11.12.13:1234 already exists. for url: http://localhost:6440/policy/api/v1/infra/ipfix-l2-collector-profiles/ipfix_l2_collector_profile_2]“

This issue is related to NSX-V having IPFIX configured and the VDS in vCenter with NetFlow configured.

Reseting the IPFIX configuration in NSX-V and the NetFlow configuration on VDS used by ESXi hosts prepared for NSX-V resolves this issue.
IPFIX is unsupported by migration coordinator. Refer to documentation NSX-T Data Center Migration Coordinator Guide for details.

Config migration failed [Reason: HTTP Error: 400:Duplicate expressions specified for url: http://localhost:6440/policy/api/v1/infra/domains/default/groups/securitygroup-334]

During the migrate configuration phase you get error “Config migration failed [Reason: HTTP Error: 400:Duplicate expressions specified for url: http://localhost:6440/policy/api/v1/infra/domains/default/groups/securitygroup-334]“

Issue is caused by duplicated expression configured in the security group membership. We have seen cases where the dynamic membership is using a security tag and the static membership has the same security tag as member causing the duplicated expression.

To resolve this error check the returned security group does not have duplicated members. When adding members to security groups do it on one type of membership.

In the log file cm.log it can be seen the same security tag as dynamic member and static member of the security group.

Config translation failed [Reason: Endpoint Protection Converter failed with ”NoneType’ object has no attribute ‘get”]

During the import configuration phase you get error “Config translation failed [Reason: Endpoint Protection Converter failed with ”NoneType’ object has no attribute ‘get”]“

In NSX-V by default the dynamic membership criteria of security groups is empty. If you use static membership only it will remain empty and in some situations you can hit a known error in NSX-T where is migration coordinator is unable to translate the security group.

To resolve this issue there are two ways options.

Install version 3.1.3.3 of VMware NSX-T Data Center that resolves issue 2846022: ​Migration from NSX for vSphere to NSX-T fails if the NSX-v environment has Security Groups with invalid Dynamic Membership criteria. 

Alternatively, use dynamic members in the security group or update the firewall rules using the security group to use the IP address of objects in the security group and delete the security group with issues.

We seen that after installing NSX-T 3.1.3.3 issue with migration coordinator is resolved. This solution is faster than having to update a long list of security groups but if you have restrictions to install this patch try to workaround updating firewall rules and/or security groups.

We hope this post is useful. If you want more information, send us your comment using the button below.

Contact us for more information

Disclaimer
Last updated: May 17, 2018
The information contained on www.bakingclouds.com website (the “Service”) is for general information purposes only.
Baking Clouds assumes no responsibility for errors or omissions in the contents on the Service.
In no event shall Baking Clouds be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the Service or the contents of the Service.  Baking Clouds reserves the right to make additions, deletions, or modification to the contents on the Service at any time without prior notice.