Symptoms
You are unable able to deploy vShield Edge from vCloud Director. You are unable able to deploy vShield Edge from vShield Manager. The vShield Edge device gets deployed to vCenter Server, but after 8-10 minutes it is deleted. When you attempt to create a routed organization network, you see the error in the vCloud Director logs located at /opt/vmware/cloud-director/logs/ on 1.0.x and /opt/vmware/vcloud-director/logs/ on 1.5.x and 5.1.x similar to:Failed to initialize shield appliance-HTTP/1.1 400 Bad RequestCode : 70913, Description : Internal error in communication with edge: Please retry. In the vShield Manager logs, you see entries similar to:EXCEPTION: com.bluelane.vfc.edge.exception.VixClientException,MESSAGE: Error while connecting to edge. Please retry.at com.bluelane.vfc.edge.VseVixAgent.handleResponse(VseVixAgent.java:684)at com.bluelane.vfc.edge.VseVixAgent.loginToVse(VseVixAgent.java:591)at com.bluelane.vfc.edge.VseVixAgent.processVixAgentError(VseVixAgent.java:515)at com.bluelane.vfc.edge.VseVixAgent.executeCommand(VseVixAgent.java:484)at com.bluelane.vfc.edge.VseVixAgent.execute(VseVixAgent.java:406)at com.bluelane.vfc.edge.VseService.getToolsStatus(VseService.java:799)at com.bluelane.vfc.edge.EdgeApplianceManager.waitForVMToolsToStartVix(EdgeApplianceManager.java:706)andlocalhost vShield_Edge_Vix_Client: [30459]: Error :: [], <vse vmx location> is not connected -- tools failed for (command-id : 9208)Note: For information on gathering logs from vShield Manager, see Overview of vShield logs (1026255).
Resolution
This issue can occur if port 902 is blocked. When the vShield Edge device is deployed, it is first deployed over port 443 then converted to port 902. Without access to port 902, the vShield Edge device shall not be able to configure and shall be deleted from the vCenter Server after a set timeout period.To resolve this issue, verify that port 902 is open from vCloud Director or vShield Manager to the VMkernel interface of the ESX/ESXi host.If the vShield Edge device does not get deployed to the ESX/ESXi host, verify that port 443 is open between the vCloud Director or vShield Manager appliance and the VMkernel port of the ESX/ESXi host.This requirement is stated in the vShield Administration Guide. vCloud Director and vShield Manager require these ports to be open: PortDescriptionTCP 902 & 903Access to ESX/ESXi hostsTCP 80 & 443REST APITCP 80 & 443Graphical User Interface, connections to vSphere vCenter SDKTCP 22SSH access to the CLI (not enabled by default)
