To check the pool:
This one stumped me for a bit (I also might have completely misunderstood it)!
In order to configure Activity Monitoring for a Security Policy I think we need to right click on the “Activity Monitoring Data Collection” Security Group and select Apply Policy:
From here we can apply activity monitoring to existing (or create new) Security Policy:
Install Guest Introspection
Installing Guest Introspection installs a new vib and a service virtual machine on each host in the cluster. Guest Introspection is required for NSX Data Security, Activity Monitoring, and several third-party security solutions.
If you want to assign an IP address to the NSX Guest Introspection service virtual machine from an IP pool, create the IP pool before installing NSX Guest Introspection.
1. On the Installation tab, click Service Deployments.
2. Click the New Service Deployment icon.
Troubleshoot DHCP service issues
If you are troubleshooting make sure you have enabled logging and changed the mode to debug or error etc. This sends the logs to the syslog server configured for the ESG.
You must restart the DHCP service on client virtual machines in the following situations:
- You changed or deleted a DHCP pool, default gateway, or DNS server.
- You changed the internal IP address of the NSX Edge instance
You first enable the L2 VPN service on the NSX Edge instance and then configure a server and then a client. I’m going to try and use a Hands on Lab to spin up two ESGs and stretch a L2 network between them both.
You need to use the Trunk interface to setup L2 VPNs, so here are the steps for that:
1. Click on Settings tab. Click on Interfaces Select a vNIC and click on the pencil icon to bring up the Edit NSX Edge Interface wizard.
2. Enter an interface name then set Type: Trunk. Click on the Select link next to the text box for Connected To and attach the interface to a standard or distributed port group:
You normally download the Technical Support Logs from the Edge Services Gateway if experiencing issues.
Should you be running the ESG in HA mode the logs for both are downloaded at the same time. Select the Edge Services Gateway that you wish to download the Technical Support Logs from.
Right-click and select Download Tech Support Logs:
Once they are gathered click Download and then save them:
SSL VPN-Plus Service
You can run some troubleshooting commands from the command line of the Edge Services Gateway (ESG) that is hosting the SSL VPN-Plus service. SSH or open the console of the ESG.
The full command list available:
To check the SSL VPN service status:
Very quick post being filed under every day is a school day!
I deployed an Edge Service Gateway without ticking (or more specifically unticking) the Enable SSH button. Along comes some routing issue and I would really like to SSH onto the Edge and do a show ip route but I could not figure out how to enable SSH after the Edge is deployed. Much digging later the only way I could see is to open Networking and Security then browse to NSX Edges, highlight the Edge you want to enable SSH on and click Actions:
Once here click “Change CLI Credentials”:
Type in a password (you can reuse the existing password you set) and tick “Enable SSH”.
What a pita this has been, the process is reasonably straight forward but trying to do this in a nested environment is a pain!! The settings below should be done of both ESGs (in my (hands on) lab I created two ESGs with a directly connected “Internal” Logical Switch and an “Internet” Logical Switch and used a DLR to act as the Internet Router.
Something like this:
10.10.100.0/24 >Site 1 ESG Internal (10.10.100.1) > Site 1 ESG Internet (10.10.10.1) > Internet DLR (10.10.10.254) > Internet DLR (220.127.116.11) > Site 2 ESG Internet (18.104.22.168) > Site 2 ESG Internal (22.214.171.124) > 126.96.36.199/24
Enable IPSec VPN Service
You must enable the IPSec VPN service for traffic to flow from the local subnet to the peer subnet
1. Log in to the vSphere Web Client.
2. Click Networking & Security and then click NSX Edges.
3. Double-click an NSX Edge.
4. Click the Manage tab and then click the VPN tab.
5. Click IPSec VPN.