Restoring NSX from Old Backup - With Control VM

Ok, yesterday I posted Restoring NSX from Old Backup - Impact on Distributed Network where I said I was 5 sigma sure the Control VM wouldn’t make a difference to the restore. 5 sigma is probably not as good as 6 sigma (whatever that is) so this post is to show NSX Manager’s recovery being done when the Logical Router is deployed with its Control VM.

Here is the logical view of the network with a Global Logical Router that has a Control VM:

That’s right, his diagram is the same diagram from yesterday, with no Control VM. That’s because the logical diagram depicts the Data Plane, not the Control Plane (gotcha). However, the Control VM does have a connection for its HA interface (formerly known as Management Interface), which I dropped in the dvPortgroup COM_A1-VMMGT. Below is a diagram of the vDS after deploying the Control VM (this time I showed the Uplinks so you can see the two ESXi hosts…sorry for missing that yesterday).

So, I removed the logical router (default+edge-6) that was there, made a backup (Backup4) of NSX Manager, deployed a new logical router (piratas+edge-7) with its Contol VM (that’s how I got the above vDS screenshot) and did one more backup (Backup5) to easily return back to the end-state. Below is a screenshot of the new logical router.

Bonus Point 1: What is the Tenant name of the new Logical Router? Answer provided at the end of this post… Now back to the show.

And here is what com-a1-esxi01 sees:

[root@com-a1-esxi01:~] net-vdr -l -I VDR Instance Information : --------------------------- Vdr Name: piratas+edge-7 Vdr Id: 0x00007d00 Number of Lifs: 2 Number of Routes: 2 State: Enabled Controller IP: 10.154.8.71 Control Plane IP: 10.154.9.44 Control Plane Active: Yes Num unique nexthops: 0 Generation Number: 0 Edge Active: No [root@com-a1-esxi01:~]

Bonus Point 2: Why does the output for Edge Active says No? Answer provided at the end of the post.

And here is the same output (with some additional show commands to find the host-id of com-a1-esxi01), but taken from NSXMGR:

nsxmgr-a.piratas.caribe> show cluster all No. Cluster Name Cluster Id Datacenter Name Firewall Status 1 COM-A1 domain-c318 Santo Domingo Enabled 2 MGT-A1 domain-c433 Santo Domingo Not Enabled 3 COM-A2 domain-c1056 Santo Domingo Enabled 4 EDG-A1 domain-c333 Santo Domingo Enabled nsxmgr-a.piratas.caribe> show cluster domain-c318 Datacenter: Santo Domingo Cluster: COM-A1 No. Host Name Host Id Installation Status 1 com-a1-esxi02.piratas.caribe host-88 Ready 2 com-a1-esxi01.piratas.caribe host-87 Ready nsxmgr-a.piratas.caribe> show logical-router host host-87 dlr edge-7 verbose VDR Instance Information : --------------------------- Vdr Name: piratas+edge-7 Vdr Id: 0x00007d00 Number of Lifs: 2 Number of Routes: 2 State: Enabled Controller IP: 10.154.8.71 Control Plane IP: 10.154.9.44 Control Plane Active: Yes Num unique nexthops: 0 Generation Number: 0 Edge Active: No nsxmgr-a.piratas.caribe>

And here is me consoling in the Control VM and showing its routing table:

After restoring Backup4 (no logical router), here is what the com-a1-esxi01 host sees.

[root@com-a1-esxi01:~] net-vdr -l -I VDR Instance Information : --------------------------- [root@com-a1-esxi01:~]

Even NSX Manager also forgot about it:

nsxmgr-a.piratas.caribe> show logical-router host host-87 dlr edge-7 verbose Error: 202: The requested object : VDR instance [edge-7] could not be found. Object identifiers are case sensitive. nsxmgr-a.piratas.caribe> show logical-router list all Edge Id Vdr Name Vdr Id #Lifs nsxmgr-a.piratas.caribe>

However, vCenter still sees the Control VM (it is a VM after all):

We can also console in to the Control VM (or if we had bothered to put an IP in the HA interface and enabled SSH, we could've gone in-band) and show the routing table:

Are you surprised the Control VM still shows the LIFs as connected? Let’s ponder on this for a bit. The Control VM doesn’t communicate directly with the ESXi hosts, so it has no clue that all of them dropped the Logical Router. It receives its information (configuration wise, like the LIFs and IPs) from NSX Manager. NSX Manager has not told the Control VM (since it forgot about the Control VM's existence) that the Logical Router is no longer around, thus the Control VM continues to believe all is good and the LIFs are still connected (up/up)...even after a few hours of not “hearing” from NSX Manager.

After a few hours, I restored from Backup5 (the end-state), the logical router came back, and NSX Manager remembered about the Control VM.

Elver’s Opinion: I don’t think I have an opinion today (something all wise married men know how to do too well)…but I would brag a little that I was right when I said yesterday that the restore would have the same impact to the logical router whether it has a Control VM or not.

Bonus Points Answers: Gotcha again (actually, I lied this time). Instead giving you the answers, how about you tweet the answers to me, @ElverS_Opinion? The first person to tweet both answers will get a signed copy, in two languages mind you, of the VCP6-NV Official Cert Book¹. Just make sure you follow me so you can send me your mailing address via private IM.

¹ Offer only valid for those that can locate the Seven Kingdoms in a map, agree with the fact that Citizen Kane is the best movie EVER and know what is Bachata.