Monday 16 January 2017

Register Nexus 1000v VSM with vCenter 6.5

We upgraded our vCenter to 6.5 a few weeks ago. As part of the upgrade, one of our Nexus 1000V switch VSMs lost contact with vCenter - running
show svs connection
from the 1000V CLI reported a connection state of 'Disconnected'. Cisco's documentation on resolving this suggests you try a manual disconnect/reconnect (on the VSM, go to
svs connection connection-name
then do 'no connect' followed by 'connect'), then if that doesn't work, unregister and re-register the extension. Unfortunately, their instructions for re-registering the extension depend on the legacy C# vSphere client, which won't connect to a server running vCenter 6.5. I therefore came up with the following process, using a slight runtime hack to the vCenter Managed Object Browser web UI...
  1. Go to https://<your-vcenter>/mob/?moid=ExtensionManager in Google Chrome.
  2. Look through the list of extensions in 'Properties' at the top (click the 'more' link to expand if necessary) to find the identity of your current Nexus 1000V extension - it should be called 'Cisco_Nexus_1000V_' followed by a number - and note it down.
  3. In the 'Methods' section, click the link to UnregisterExtension - a new window should pop up. Enter the full name of your extension into the extensionKey field, then click the Invoke link. It should return 'void', which means it worked. Close the popup then refresh the ExtensionManager page to check your Nexus 1000V extension is gone.
  4. Go to http://<VSM-IP>/ in a browser and click the link to download the cisco_nexus_1000v_extension.xml file.
  5. Open the XML file in a text editor. You'll need to refer to the listed 'key' (which should match the identity of the extension you unregistered earlier) and the 'certificate' at the bottom.
  6. Back on the ExtensionManager web page, click the link at the bottom to 'RegisterExtension'. In the popup window, replace the contents of the 'Value' box with the following, replacing the Key with the one from your XML file:
<extension>
  <description>
    <label></label>
    <summary></summary>
    </description>
    <key>Cisco_Nexus_1000V_somenumber</key>
    <version>1.0.0</version>
    <server>
      <url></url>
      <description>
        <label></label>
        <summary></summary>
      </description>
      <company>Cisco Systems Inc.</company>
      <type>DVS</type>
      <adminEmail></adminEmail>
    </server>
    <client>
      <version>1.0.0</version>
      <description>
        <label></label>
        <summary></summary>
      </description>
      <company>Cisco Systems, Inc.</company>
      <type>DVS</type>
    <url></url>
    </client>
    <lastHeartbeatTime>1970-01-01T00:00:00Z</lastHeartbeatTime>
</extension>
  1. Click the 'Invoke' link - again, you're looking for a return of 'void'. If you don't get this, double-check what you pasted into the box and try again. Close the popup when you're done.
  2. We now need to tell vCenter the thumbprint of the certificate that the Nexus 1000V extension will be using to authenticate. To do this, back in the ExtensionManager window, click the link to the 'SetExtensionCertificate' method.
  3. This is the part where we need to be slightly clever. The default form has a one-line input field for certificatePem, but we need to change this into a multiline field or else the certificate data won't be accepted. To do this, hit F12 to open Chrome's Developer Tools. On the Elements tab, drill down through html > body > form > table > tbody and expand the third tr, then the last td - you should see
    <input name="certificatePem value type="text">
    Double-click the word 'input' and you'll be able to edit it - change it to 'textarea', then click off the editor. You should see something that looks like this:
  4. Now, you just need to enter your extension name (Cisco_Nexus_1000V_somenumber) into the extensionKey field, and paste the multi-line certificate data from your extension XML file (including the BEGIN CERTIFICATE and END CERTIFICATE lines) into the certificatePem field, then click the Invoke link. Again, you're expecting to get 'void' back from this.

Assuming this all worked correctly, you should now be able to repeat the 'no connect' / 'connect' cycle on the VSM and it'll reconnect.