NSX v6 Bug for L2 Bridging “Configuring Layer 2 Bridging on a Distributed Logical Router in NSX for vSphere 6.1.2 fails with error: User is not authorized to access object”

Thanks to the consultants @ Gyrocom: IT Infrastructure
www.gyrocom.co.uk for finding this knowledge base article.

Symptoms

  • Cannot configure Layer 2 Bridging on a Distributed Logical Router in NSX for vSphere 6.1.2
  • Configuring Layer 2 Bridging on a Distributed Logical Router in NSX for vSphere 6.1.2 fails
  • You see the error:

User is not authorized to access object edge-XX and feature edge.bridging, please check object access scope and feature permissions for the user.

  • In the NSX Manager log bundle, you see entries similar to:14:08:22.722 GMT WARN http-nio-127.0.0.1-7441-exec-28 RemoteInvocationTraceInterceptor:87 – Processing of VsmHttpInvokerServiceExpor
    ter remote call resulted in fatal exception: com.vmware.vshield.edge.bridging.facade.BridgingFacade.getBridgingConfig
    core-services:254:User is not authorized to access object edge-XX and feature edge.bridging, please check object access scope and feature permissions for the user.
    at com.vmware.vshield.edge.bridging.service.BridgingServiceImpl.getBridgingConfig(BridgingServiceImpl.java:115)
    at com.vmware.vshield.edge.bridging.facade.BridgingFacadeImpl.getBridgingConfig(BridgingFacadeImpl.java:87)

Resolution

This is a known issue affecting with NSX-v Manager 6.1.2 (Build 2318232).
Currently, there is no resolution.To work around this issue, configure Bridging via API calls.

The following REST call can be made to add a bridge:

Headers:
Content-Type: application/xml
Accept: application/xml

Authentication:
Basic: admin:default

PUT https://<nsxmanagerIPorFQDN>/api/4.0/edges/<edgeId>/bridging/config

<bridges>
<bridge>
<name>BRIDGE NAME</name>
<virtualWire>virtualwire-XX</virtualWire>
<dvportGroup>dvportgroup-XX</dvportGroup>
</bridge>
</bridges>

Note: You can look up the managed objected IDs for the above XML in the vCenter Managed Object Browser:

  1. Open a web browser and navigate to the address:https://<vCenterIPorFQDN>/mob/
  2. Click on the Content.
  3. Click on the rootFolder entry. (normally named group-d1)
  4. Click on the childEntity named datacenter-XX. (The friendly name of the datacenter shows in braces besides the managed object ID)
  5. Scroll down to the Network section.For the <dvportGroup> section use the Managed Object ID from this screen
    For the <virtualWire> section use the virtualwire-## value embedded in the friendly name.

Note: For more information, see NSX for vSphere API Reference Guide.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *