Loading...
Loading...
You are running any VMware NSX version between 3.2 to 4.1.2.You have configured VMware NSX integration with LDAP or vIDM and are logged in with one of these users.When accessing the NDR pages of the VMware NSX UI, it fails to load and displays a 400 Bad Request Request Header Or Cookie Too Large nginx/1.18.0 (Ubuntu) like below: The same error may also be seen in other UI pages for NSX Malware Prevention.
This issue is caused by large HTTP header size which the NDR components cannot process.It occurs when a LDAP or vIDM user is part of many groups.
This is a known issue impacting VMware NSX.
To work around this issue on an NSX installation, we will need to edit the configuration of two kubernetes "deployment" objects in the NSX Application Platform, in the nsxi-platform namespace: cloud-connector-proxycloud-connector-file-server Both of these deployments include an nginx server, that by default supports a maximum request header size of 8k.To increase this limit to e.g. 32k, we need to add the "large_client_header_buffers" option to the nginx configuration. In the commands below, the location of the <kubeconfig file> may vary depending on where NAPP was deployed.It may be /config/vmware/napps/.kube/config on the NSX manager.When NAPP is deployed, the napp-k alias should be setup and can be used instead on the NSX-T manager as root user, substitute 'kubectl --kubeconfig <kubeconfig file>' in the below commands with 'napp-k' if using napp-k. Before making changes to the deployments, we will save a copy of their current configuration to the file system: kubectl --kubeconfig <kubeconfig file> -n nsxi-platform get deploy cloud-connector-proxy -o yaml > cloud-connector-proxy.orig.yamlkubectl --kubeconfig <kubeconfig file> -n nsxi-platform get deploy cloud-connector-file-server -o yaml > cloud-connector-file-server.orig.yaml For this, we will apply the same change to both deployments, by using the "kubectl edit deploy" command: kubectl --kubeconfig <kubeconfig file> -n nsxi-platform edit deploy cloud-connector-proxykubectl --kubeconfig <kubeconfig file> -n nsxi-platform edit deploy cloud-connector-file-server Each of these commands will open an editor that allows us to modify the deployment.In both of these deployments, we should modify the section TILLER_YAML_PROXY_NGINX_SETTINGS, adding the following two lines: service_configs: large_client_header_buffers: "4 32k" In context, the modified section will look like this: - name: TILLER_YAML_PROXY_NGINX_SETTINGS value: | global: proxy: nginx: service_configs: large_client_header_buffers: "4 32k" server_name: "cloud-connector-file-server" Note: Make sure to indent the added lines correctly (with "service_configs" at same level as "server_name"). After the edits are saved, these deployments will be automatically restarted.Once the restart is complete the symptoms should be resolved. Note: This workaround may be reverted by certain configuration changes or upgrade operations, in which case it would need to be applied once again.
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.