I'm noticing that whenever i go into the VAMI (? the port 5480 interface) and check the backup activity to make sure everything is still working, I'm having a hard time getting the data to show up. I've got one VCSA with 164 backups listed (only keep a rolling 30 days on disk though) and it can take a few page refreshes and clicking on another section and then back on the backup section before it loads and I can see ths history to make sure everything is reporting as complete and working as expected.

Anyone else seeing this or know how to make it load successfully the first time?

Per the walkthroughs I've watched and the documentation here (Transferring Data from an Existing vCenter Server Appliance), I know that you can choose to import the performance data in the background after the VCSA appliance is built and the identity, including IP address, is transferred over.  When the Migration Assistant is exporting the data in the first place, I made the assumption that vCenter is up and running during that time.  Is that true?  I have a very large database (>500GB) and the estimation tool for the vCenter 6.5 upgrade (VMware Knowledge Base) puts the export time at 9.5 hours so I wanted to be prepared if it was going to be down for the entire export process.

Thank you!

Troy

hi,

we recently upgraded our env (2 psc + 2 vc in linked mode) from 6.5u2 with external psc to 6.7u3 and then convereged the psc into the vc.

now i have issues with the certificates of the vc servers that still show the old psc's in the certificate, thus creating sso problems with vrops (even after i replaced the authentication source to point to the vc's), and i cannot login the vrops using sso (only with admin@vsphere...)

i want to know my options.

do i live like this and just swallow the frog?

should i replace the certificates with new self signed internal one?

should i generate certificate using our company internal CA (ad ca service)?

anything else?

thanks

mordechai

Hi. I have been trying to determine why a couple of my VCSA v6.5U3 appliances take several hours to VAMI backup. The DB is actually not that big at all. The final backup size is only about 4GB.

Doing some research I stumbled on some other threads that had huge space issues and how they truncated a couple of vpostgres tables.

The tables are.

vc.vpx_text_array

vc.vpx_task

We have the default level 1 statistics and the default 30 day tasks and events retention.

I wanted to test so I restored the VCSA backup to an isolated environment.

I truncated both tables and my backups run in minutes.

The problem is I am not sure what those tables exactly are. I assume the 2nd one is all the tasks, and I guess it wipes all the saved tasks no matter what the retention is. I have no idea what the first one.

I will of course open a ticket with VMware before I proceed in PROD, but I wanted to know what exactly those two tables are and if there are any downsides people experienced if they truncated these as well before I open a ticket with support.

Thanks,,,

Hello,

I want to install VCenter but i have not DNS and no Gateway. It's a full private network with Virtual Machines in Workgroup. The industrial software which will be installed doesn't not support Domain.

What should I put in the Following fields in my case :

- Default Gateway :

- DNS Server

Thanks

Good morning,

I tried to install vcenter server 6.7 on windows server 2019 (for many reasons it's better for me this method over appliance) and failed because of this error:

[ vminst-con.log extract ]

[Running] C:\Program Files\VMware\vCenter Server\firstboot\visl-support-firstboot.py

Result:

--------------------------

Failure

2020-02-24T11:42:55.341Z  Running command: ['C:\\Windows\\system32\\icacls.exe', 'C:\\ProgramData\\VMware\\vCenterServer\\cfg/vmware-rhttpproxy/ssl', '/grant:r', '*S-1-5-18:(OI)(CI)(F)', '/grant:r', '*S-1-5-32-544:(OI)(CI)(F)', '/inheritance:r', '/L', '/Q']

2020-02-24T11:42:55.404Z  Done running command

2020-02-24T11:42:55.404Z  Running command: ['C:\\Windows\\system32\\icacls.exe', 'C:\\ProgramData\\VMware\\vCenterServer\\cfg/vmware-rhttpproxy/ssl\\*', '/reset', '/T', '/L', '/Q']

2020-02-24T11:42:55.435Z  Done running command

Error Code : 1021

It seems a strange permission problem but I cannot understand it as I'm running setup with an Administrative user.

I shortened here the log for convenience but if needed I can share more of it.

Has anyone any suggestion?

Thank you

Matteo

Hi to All

I want to config Vcenter HA but when click 'SETUP VCENTER HA' get this error:

"The object ManagedObjectReference has already been deleted or has not been completely created"

vcenter 6.7.0 42000

3 esxi host 6.7

can anyone one help?

thanks.

Hi,

ESXi 6.5

VCSA 6.7

I notice since I upgraded VCSA from 6.5 to 6.7, every time I go to a VM's summary page in the HTML5 client, it takes a while to load the bottom half of the page which includes "VM Hardware", "Notes", "Custom Attributes", etc. Is there anyone else having the same issue?

Thanks,

Hi Gems,

Unable to update the  VCSA  form VAMI . Can anyone face this ?

I'm stuck in some kind of certificate netherworld.  I've run certificate manager to create a new key and csr per these instructions, choosing options 1 and 1.

https://samsig.dk/getting-a-valid-certificate-on-your-vmware-vsphere-vcenter-6-7/

When I use our certificate portal and pasted my csr into the certificate csr field, I got a message that the alternative email is invalid. The portal itself has a required email field, so I decided to go back through the cert setup and leave the email blank. The setup wants to use the existing certool.cfg or quit. I ran through it and tried to overwrite the email entry with a blank, but that didn't work. I tried to use the certool command to overwrite the email entry with a blank, but I get an error when I try to do that. I renamed the certool.cfg file in the config folder to .old, but the certificate manager still sees all of the previous info that I entered, including the email entry I want to ditch.

Is there another certool.cfg file that I need to look for somewhere? Should I delete the one that I renamed? Any other options?

Thanks.

Anyone know why a 6.7 vCenter appliance would fail to accept new solution user certificates in both the UI and the CLI (Certificate-Manager)?

Specifics:

- 6.7U3C vCenter appliance in Enhanced-Linked mode

- Machine SSL certificate replaced without issue

- The VPXD, VPDX-extension, machine, and vsphere-webclient certificates will not replace

- There are no wild cards in the certificates [SANs or CNs, etc.]

- All of the vCenters in the environment have the same certificate templates and are the same, but they were upgraded to 6.7. This one is new.

The certificates were generated using open-ssl.

The template uses 4096, what should be the proper enhanced attributes, includes the corresponding type in the CN [e.g. machine-FQDN, VPXD-FQDN, etc.].

This is really odd.

GB

According to vSphere Basic System Administration, section SNMP and vSphere, VMWARE-VC-EVENT-MIB, vCenter can send out SNMP traps for diagnostic purposes

a) on request

b) on a periodic basis

"The vCenter Server SNMP agent sends this trap when vCenter Server starts or is restarted, or when a test notification is requested. vCenter Server can be configured to send this trap periodically at regular intervals."

Does anyone know how to do so? The manual says it can be done, but doesn't explain how to (neither the on demand nor the periodic one). I know that I can manually trigger an alarm (e.g. on VM power state), but now that I stumbled upon the test trap description it seems as if there should be a more straight-forward way (and even one which can be used to periodically verify the vCenter trap handling).

I generated a CSR through the vCenter web interface (Administration>Certificate Management>Machine SSL Certificate>Actions>Generate CSR). I submitted the csr and got the certificate back, but I need the private key file. Can anyone tell me where on the vcenter server the csr generation process would have put that by default? Most of the documentation I've seen is for the certificate manager command and uses a switch for the file location, but there isn't much documentation for the web client.

Thanks.

Hi,

I can't Open virtual Machine folder from <vCenter-Address>/Folder  url. actually it returns 500 error. My vCenter appliance version is 6.7 with build number 15129973.

Based on screenshot that I attached, I can just forward to this step, thus when I open VM folder, faced with 500 Error.

Note: It's worked on vCenter 6.5 and we can see all contents in virtual machine's folder such as *.nvram , *.vmdk , *.vmx and etc.

Also you can see error log as below:

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2020-01-13T13:11:19.811+03:30 info vpxd[04730] [Originator@6876 sub=HTTP server /folder req=00007f29304b6520 user="username"] Got HTTP GET request for /folder/VM?dcPath=Cloud01&dsName=STOR01

2020-01-13T13:11:19.811+03:30 info vpxd[06403] [Originator@6876 sub=vpxLro opID=req=00007f29304b6520-72] [VpxLRO] -- BEGIN lro-3515974 -- SearchIndex -- vim.SearchIndex.findByInventoryPath -- 52cfad26-7ad3-4e5b-2043-1624611f432f(52710809-3213-0d6c-0b4c-972d37b06d37)

2020-01-13T13:11:19.811+03:30 info vpxd[06403] [Originator@6876 sub=vpxLro opID=req=00007f29304b6520-72] [VpxLRO] -- FINISH lro-3515974

2020-01-13T13:11:19.814+03:30 info vpxd[05837] [Originator@6876 sub=vpxLro opID=req=00007f29304b6520-78] [VpxLRO] -- BEGIN lro-3515977 -- ServiceInstance -- vim.ServiceInstance.retrieveContent -- 52cfad26-7ad3-4e5b-2043-1624611f432f(52710809-3213-0d6c-0b4c-972d37b06d37)

2020-01-13T13:11:19.814+03:30 info vpxd[05837] [Originator@6876 sub=vpxLro opID=req=00007f29304b6520-78] [VpxLRO] -- FINISH lro-3515977

2020-01-13T13:11:19.814+03:30 info vpxd[04769] [Originator@6876 sub=vpxLro opID=req=00007f29304b6520-10] [VpxLRO] -- BEGIN session[52cfad26-7ad3-4e5b-2043-1624611f432f]521e6dcc-4dc6-303e-a3d1-0433918449b8 -- datastoreBrowser-datastore-4981 -- vim.host.DatastoreBrowser.search -- 52cfad26-7ad3-4e5b-2043-1624611f432f(52710809-3213-0d6c-0b4c-972d37b06d37)

2020-01-13T13:11:19.950+03:30 info vpxd[04769] [Originator@6876 sub=vpxLro opID=req=00007f29304b6520-10] [VpxLRO] -- FINISH session[52cfad26-7ad3-4e5b-2043-1624611f432f]521e6dcc-4dc6-303e-a3d1-0433918449b8

2020-01-13T13:11:19.954+03:30 info vpxd[04805] [Originator@6876 sub=vpxLro opID=2a15e0ea] [VpxLRO] -- BEGIN lro-3515982 -- nfcService -- vim.NfcService.fileManagement -- 52cfad26-7ad3-4e5b-2043-1624611f432f(52710809-3213-0d6c-0b4c-972d37b06d37)

2020-01-13T13:11:19.960+03:30 info vpxd[04805] [Originator@6876 sub=vpxLro opID=2a15e0ea] [VpxLRO] -- FINISH lro-3515982

2020-01-13T13:11:20.363+03:30 info vpxd[04832] [Originator@6876 sub=vpxLro opID=261383c] [VpxLRO] -- BEGIN lro-3515983 -- ServiceInstance -- vim.ServiceInstance.retrieveContent -- 52c73ce5-b7e7-aa11-0597-256845c498b3(52505850-89cb-d5d4-5992-573892659c55)

2020-01-13T13:11:20.364+03:30 info vpxd[04832] [Originator@6876 sub=vpxLro opID=261383c] [VpxLRO] -- FINISH lro-3515983

2020-01-13T13:11:20.364+03:30 warning vpxd[04807] [Originator@6876 sub=Default] [NFC ERROR] Received fileIO error 2 from server: A file error was encountered -- NfcFssrvrRead: failed to read 73728 bytes @ 0 : Error

-->

2020-01-13T13:11:20.364+03:30 error vpxd[04807] [Originator@6876 sub=HTTP server /folder] NfcFssrvr_IO returned 4, fileIOErr: 2

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Actually it should open vm folder and show some thinng like thise :

Whould you please help me in this regard?

Thank you in Advance

Whenever I try to connect to our VCentre server the first time it always fails. It's a virtual appliance which was upgraded from V5 to V6.0 about a year ago (not by me). The first time I try to connect to it with my browser (any one - I have tried a few) I ALWAYS just get a spinning wheel. I end up having to close the browser window, and try again. It always works the second time. When I say 'the first time' I don't mean 'the first time I try on any given day', I mean the first time I open a browser and try to connect. If I close my browser, and then need to log in again later in the day, the same thing happens. The same thing is starting to happen with VMs - quite often I will try to RDP to a VM and nothing happens. I close the RDP client and try again and it works. We are also getting issues where Veeam One regularly loses it's connection.

I'm a bit of a know-nothing as far as Vmware is concerned, so can anyone give me some hints as to where I should be looking to resolve this?

We are planning vSphere farm upgrade from 6.0U2 to 6.7U2 or higher. currently,there are 3 vcneter instances (3sites) with all external PSC joined one single SSO domain that allows enhanced linked mode.

what will be the upgrade sequence of different sites (PSC,vCenter,SRM).our ultimate goal is to get rid of external PSC and upgrade to embedded PSC with vCenter for all sites without loosing linked mode feature

Hi,

Our vCenter 6.7 appliance has been running fine for a few months. Since today though, SSO users can't login.

(SSO identity source is LDAP, which seems to be running OK)

When I try to investigate.

- I can login to the server on port 5480 as Administrator@vsphere.local OK, and the dashboard for SSO, only says 'vsphere.local' and Status 'Running', and no options to edit.

- But when I try to login to the vSphere UI as Administrator@vsphere.local  to check if I have lost my SSO settings, I get this error.

A server error occurred.

[400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: Status: urn:oasis:names:tc:SAML:2.0:status:Responder, sub status: urn:oasis:names:tc:SAML:2.0:status:RequestDenied.

Check the vSphere Web Client server logs for details.

Shouldn't I be able to login as the local administrator ? even without a SSO service - what am I doing wrong ?

I can login to the appliance as root via ssh, but not sure which are the relevant logs

Thanks

I have two vCenter servers and I am in the middle of consolidating down to one. I have roughly 20 VMs left to move.

Source vCenter is 6.5.0.30000

Target vCenter is 6.7.0.40000

They are on completely separate hardware in different datacenters, safe for one common LUN.

My process in the past has been to move the VM to the shared LUN, unregister from the source vCenter and reregister on the target vCenter. Once there, I power up the VM, fix any networking issues and storage vMotion the guest to the desired location.

I am running into issues after the re-register where I cannot move the VM to other storage (Failed waiting for data. Error 195887107) or am unable to power on the VM (NVRAM: open failed: incorrect version.)

VMWare support has been less than helpful.... to say the least.

Am I doing something that SHOULD work? I have had success using the Cross vCenter vMotion FLING and cloning the VM from a powered off state, but it would speed the process up immensely if the method I outlined above would work.

I appreciate any feedback that could help.

"Check the network settings and make sure you have network access to the identity source."

Backstory:

I opened a ticket with vmware support on 1/31/2020 because "something" was logging into 4 out of 6 esxi hosts in my DR cluster, and it was failing. The error is "Cannot login administrator@vsphere.local@(IP of our DR Veeam NAS repository)", and happens every 2 to 3 minutes.

I opened a ticket with Veeam; they can't find the issue. Opened a ticket with vmware; they can't find the issue.

In the meantime, something *else* went wrong on the 20th; my DR cluster (the one getting the failed login attempts) lost all its permissions except for administrator@vsphere.local. Yet the production VCSA has all it's permissions in tact. So if I log in as myself, I *only* see the production datacenter; if I log in as administrator@vsphere.local, I see both production and DR datacenters.

Current Story:

And now, the subject of this post: now when we try to add an identity source, the get the error "Check the network settings and make sure you have network access to the identity source."

BUT: when I putty into both the VCSAs, I can ping all our domain controllers, all the esxi hosts, and the other vcsa. No issues; no dropped packets.

Doesn't matter what version of identity source we try to add (AD, AD over LDAP, LDAP), we get the same error.

• We've upgraded both VCSAs to the latest (6.7.0.42100), with no changes.
• Both VCSAs are joined to our domain.
• The SSO domain is NOT the same name as our domain.

It seems like the answer is going to be soooo simple...but nobody seems to be able to find it.

Any ideas? Or hints?

Hello,

The Mac OSX Catalina impose new rules on the certificates and/or Google Chrome.

When using Chrome i get a NET::ERR_CERT_REVOKED, and i can't override. If using Safari or Firefox it works.

i've added the Root CA in the osx trusted list, but still Chrome refuse to obey. (yes, there is a hack in chrome to bypass but its not nice)

anyhow: my actual question is, can i regenerate the root ca, with all the rules imposed by Catalina?

looking around the vcenter i can generate the root ca on another machine, then import it in the Certificate Manager, and hopefully it will propagate and the re-issue all the esxi certs.

it should work?

A nicer way would be that at the next vcenter upgrade (ah i'm using 6.5 latest update in 2019) to include this process (i think)

would an upgrade to vcenter 6.7 solve this issue?

The certif rules are:

"Apple has introduced a series of new requirements for SSL certificates to be accepted by Catalina, documented at https://support.apple.com/en-us/HT210176. To summarize here:

• Key size must be at least 2048 bits.
• Hash algorithm must be SHA-2 or newer.
• DNS names must be in a SubjectAltName, not in the CN field only.

For certificates issued after 2019-07-01:

• The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
• The validity period may not be longer than 825 days."

Cheers and a Happy New Year!!!!

Ciprian