I am planning on upgrading my 4-host vSAN cluster from 6.5 to 6.7.  Currently, my VCSA sits at level 6.5.0.32200 build# 15679215. It's the latest for the version.  I wanted to upgrade to VCSA 6.7U3b, but have run into a snag.  It seems that because the VCSA 6.7 version is older (December 2019) than my current 6.5 VCSA version (February 2020), it is not recommended to upgrade due to "Back in Time Upgrade Restrictions".

Obviously, I won't do this upgrade now as things stand.  I'm not even sure if it's possible or if the upgrade will know the date and end the process.  Anyway, is there way to find out when another update will be available for VCSA 6.7 so that I actually can upgrade?  Is there any sort of release cycle for VCSA?

Appreciate the input.  Thx.

Hi all,

I'm trying to load OVF file to setup VCSA 6.7 U3b on ESXi 6.7U3b(ESXi is on player), I have 16 GB memory and 4 vCPUs.

When I enter into https://VCSA-IP:5480, there showed Waiting for RPM installation to finish(84% done), after waiting for a long time it complete finally. ( Actually I don't know if it done or not, there are no any message show it's success or fail.)

In the last step of setup, it showed unable to invoke installation due to vcsa is not ready check if rpm installation is completed, I have asked friends who experience in VCSA installation, but they never met this problem.

Beside, I have not setup NTP server, because my friends said they never setup NTP server for VCSA installation.

Could anybody please give me some suggestion?

Thanks a lot.

Hi all

We have recently upgraded vCenter to 6.7.0.42200 (Build 15679281). Everything seems to work fine. Except for a few plugins which won't install/register:

We get the following errors after login into the VCenter:

 
The deployment of plug-in VMware vRops Client Plugin 6.7.0.42000 has failed: Download of package: com.vmware.vrops.install:6.7.0.42000 failed. See the logs for more details.
 
The deployment of plug-in VMware vSAN H5 Client Plugin 6.7.0.42000 has failed: Download of package: com.vmware.vsphere.client.h5vsan:6.7.0.42000 failed. See the logs for more details.
 
The deployment of plug-in VMware vSAN Web Client Plugin 6.7.0.42000 has failed: Download of package: com.vmware.vsan.health:6.7.0.42000 failed. See the logs for more details.
 

At the Plugin-Site they are showing not started and with the following error message:

Error downloading plug-in. Make sure that the URL is reachable and the registered thumbprint is correct. java.io.IOException: Server returned HTTP response code: 503 for URL: https://***:443/vsanHealth/plugins/vropsPlugin.zip sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1900)
 
Error downloading plug-in. Make sure that the URL is reachable and the registered thumbprint is correct. java.io.IOException: Server returned HTTP response code: 503 for URL: https://***:443/vsanHealth/plugins/vsan-client.zip sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1900)
 
Error downloading plug-in. Make sure that the URL is reachable and the registered thumbprint is correct. java.io.IOException: Server returned HTTP response code: 503 for URL: https://***:443/vsanHealth/plugins/vsan-h5-client.zip sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1900)

We also saw in the Vmware Appliance Management that the "vSAN health Service" is not started.

Is there a known issue? Or how do we get those plugins working again?

Thank you for your help

Best regards

Christian

Hello

Trying to figure out a DNS issue on a vcenter appliance. If a do a nslookup domain.com on my appliance I get all my (4) IPv4 dns servers but I also get one resolved to 169.254.61.192

There is only 1 interface on the system , ip a s show only 127.0.0.1 and my regular IPv4 10.0.0.1

cat /etc/resolv.conf lists 127.0.0.1 and 10.0.0.2

Only difference I see if when I list all my servers no using the dnsmasq

nslookup domain.com @10.0.02

i get the proper IPv4 servers plus 1 IPv6 address

could dnsmasq be taking the IPv6 address and returning the 169.254.61.192 in its place ?

if so , is there a way to stop this ?

thanks

I have an Active directory group called Guest VM Admins.  It currently cannot logon.  I have given them Domain\Guest VM Admins has Virtual Power User Global permissions.  As far as Single Sign on goes, what is your best group in Single Sign on to ensure this AD group can login?   I added a group called GVM in Single Sign On Groups I added the Guest VM group and the users in the group cannot still logon.

We have a 6.0 vCenter Server Appliance with two external PSC [all 6.0.0.30800 build 9448190 / 6.0 Update 3h] we are attempting to upgrade to 6.5 U2e build 11347054.

We've been completely unsuccessful trying to use the GUI updater, as for some unknown reason the GUI upgrader will not connect to the vCenter/PSC during the initial connection in Stage 1.

However, with the CLI upgrader using a .JSON file, we've upgraded the PSCs (two external PSCs) without issue.

The vCenter Server Appliance, however, fails to upgrade with an error at 58%:

Progress: 58% Starting VMware vCenter Server...

Error:

     Problem Id: install.vpxd.action.failed

     Component key: vpxd

     Detail:

          Vmware VirtualCenter failed firstboot.

          An error occurred while invoking external command : 'Command: ['/usr/sbin/vpxd', '-L'] Strerr: '

     Resolution: Please search for these symptoms in the VMware Knowledge Base.....

...

     vCSACliInstallLogger - DEBUG - Running command on vm [new vCenter name]: /bin/bash --login -c 'ls `install-parameter upgrade.import.directory` /system-data/revert_networking.py'

     vCSACliInstallLogger - DEBUG - Running command on vm [new vCenter name]: /bin/bash --login -c '/opt/vmware/bin/python `install-parameter upgrade.import.directory` /system-data/revert_networking.py'

     vCSACliInstallLogger - ERROR - Fail to revert the target vm IP address: Failed to run and wait for command in guest with error 'Command '[u'/opt/vmware/bin/python', u'`install-parameter upgrade.import.directory`/system-data/revert_networking.py']' exited with non-zero status 1'

We were able to find a KB with the 'Command: ['/usr/sbin/vpxd', '-L'] Strerr: ' issue listed, and it seems to refer to duplicate vDS and vDPG names.  However we were not able to find any dupes.

(KB 2147547 for the vDS / vDPG issue: VMware Knowledge Base and a related one showing how to connect to postgres VMware Knowledge Base KB 2147285.)

There is only one additional issue seen in the vcsa-installer.log.  We see a message "Failed normalizing ip: [FQDN of the vCenter being upgraded"

Does anyone have any ideas on this one?

Salutations!!!

We have a 6.5 test vcenter, ,with 3 hosts.  I want to take one, install 6.7 vcenter on a VM on the host, then upgrade the host to 6.7.  So then I will be able to test migrating our existing 5.5-6.5 production Vcenters, to our new 6.7 production Vcenter.

My question is, when I remove a Host from the existing VCenter, will it lose all of its storage and network configurations?

OK, my next question is, should I just install VCenter 6.7 on a VM on the current host, power the VM off, remove the host from 6.5 vcenter, power on the isolated VM, and add the host to 6.7? (Could it be that easy?  I guess it depends on the 1st question)

It currently has an Uplink port group, several Distributed Port Groups, and a few Standard networks, and one distributed switch.  I'm assuming I may need to tweak the switch a bit.  maybe?

Thanks all!

Hi everyone,

I have an interesting issue on a 6.5 VCSA (build 15259038) in our stage payment processing environment that is being flagged by our security team from a Nessus vulnerability scan. Interestingly, we have an allegedly "identical" VCSA in our production payment processing environment that is not being flagged for the same vulnerability.

Most of the time when Nessus flags a vulnerability, it's clear enough what needs to be done on the system. This one however, has been so vague that no one on our systems team or our security team can really unpack what it's asking for. Here's the error:

Description:

The remote host may be vulnerable to payment entry data exfiltration due to javascript included from potentially untrusted and unverified third parties script src.

If the host is controlled by a 3rd party, ensure that the 3rd party is PCI DSS compliant.

Solution:

Set script integrity checking on target script or remove target script.

See Also:

http://www.nessus.org/u?c9e76c4f

https://www.w3.org/TR/SRI/

http://www.nessus.org/u?f39144f8

Output:

Path :

Attributes :

  - src :

Port

443/tcp/www

I'm all for removing whatever target script it is referring to, but as you can see the path is blank, so I'm not really sure where to go with that. The only script I can think of on the VCSA that would be non-standard was we used the TLS - reconfiguration script to disable TLS 1.0 and 1.1. I never removed the script off of the appliance, but that script's also present on the production appliance (again, no detected vulnerabilities on the production one), so that doesn't seem like the right path to follow.

At the moment, I've taken an 'ls' recursing in to the entire tree on both VCSA's and I'm using powershell to compare them, but I think that script is going to take a while (comparing two 70M text files takes some time), so I thought I'd throw it out to the community and see if anyone has any ideas.

Thanks for your time!

I have a vcenter v6.5 where I can login with root to the console but I cannot login to Appliance Manager. I get "Unable to authenticate. Try again." I did a passwd but that did not help

chage -l root

Last password change                                    : Mar 27, 2020

Password expires                                        : Mar 27, 2021

Password inactive                                       : never

Account expires                                         : never

Minimum number of days between password change          : 0

Maximum number of days between password change          : 365

Number of days of warning before password expires       : 7

Any idea how to fix this?

I have a x2PSC and x2vCenter appliances running in linked mode accross two seperate sites.  I'm planning the upgrade now however my concern is our hosts (mainly IBM UCS M3/4 series B200 blades) dont have a 6.7 vendor imagine.  I dont really want to put us in a situation where either VMware or Cisco UCS wont support out configuration.  Is it OK to leave them on 6.5U1 long term I know its a supported configuration short term at least but dont know about long?

Also as a bonus question does it matter which site I upgrade first?  I will be proceeding with the Platform Services Controllers then the vCenter servers but not sure if it matters if I proceed with the large site or small site first. I dont believe linked mode runs as a primary or master config but could be wrong.

Since upgrading from U2 to U3 I'm unable to deploy from a library template if I use a customization spec, it won't go further than the Select Networks screen. 

• Deploying from a datastore template works fine, even when using a customization spec.
• Deploying from a library template works fine if I don't use a customization spec.
• I've created a new customization spec (from scratch, not duplicating an existing spec) and the problem persists.
• This is only an issue in the HTML5 client - everything works fine in the Flash client. 
• Tested IE 11 and the latest version of Chrome with the same results.

Has anyone else seen this issue?

Hi,

I recently rebooted my vcsa appliance and after waiting a while for all services to start up my VMware vSphere Web Client started showing the following error message:

503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x000055fcde997a60] _serverNamespace = / action = Allow _pipeName =/var/run/vmware/vpxd-webserver-pipe)

I took a look at rhttpproxy.log file and it showed the following output:

2019-03-11T14:07:23.814+01:00 warning rhttpproxy[11879] [Originator@6876 sub=Default] Failed to connect socket; <io_obj p:0x00007f98b0001fa0, h:19, <TCP '127.0.0.1 : 36346'>, <TCP '127.0.0.1 : 8089'>>, e: 111(Connection refused)

2019-03-11T14:07:23.814+01:00 warning rhttpproxy[11879] [Originator@6876 sub=Proxy Req 00601 Tunnel] Error connecting tunnel on TCP socket: (null): Connection refused: The remote service is not running, OR is overloaded, OR a firewall is rejecting connections.

2019-03-11T14:07:29.139+01:00 warning rhttpproxy[11871] [Originator@6876 sub=Default] Failed to connect socket; <io_obj p:0x00007f98a80172d8, h:19, <UNIX ''>, <UNIX '/var/run/vmware/vpxd-webserver-pipe'>>, e: 111(Connection refused)

2019-03-11T14:07:29.139+01:00 warning rhttpproxy[11871] [Originator@6876 sub=Proxy Req 00602] Connection to named pipe /var/run/vmware/vpxd-webserver-pipe failed with error N7Vmacore15SystemExceptionE(Connection refused: The remote service is not running, OR is overloaded, OR a firewall is rejecting connections.)

--> [context]zKq7AVECAQAAAPJSnAAOcmh0dHBwcm94eQAAlLAqbGlidm1hY29yZS5zbwAAIDcbAG67GAD35yIAPIwlAISUJQAasSUA4bolAGlRIwChHiMAaiEjAB0IKwHUcwBsaWJwdGhyZWFkLnNvLjAAAp2MDmxpYmMuc28uNgA=[/context].

Which according to VMware Knowledge Base means that there is a certificate error. When I try resetting all certificates using /usr/lib/vmware-vmca/bin/certificate-manager, the following error message appears:

Status : 0% Completed [Reset Root Cert...]                 

Using config file : /var/tmp/vmware/root.cfg

Error: 382312694, VMCAAddRootCertificatePrivate() failedError: 382312694, Failed to add root certificate

Status : Failed

Error Code : 382312694

Error Message : Access denied, reason = rpc_s_auth_method (0x16c9a0f6).

Status : 0% Completed [Reset operation failed]

please see /var/log/vmware/vmcad/certificate-manager.log for more information.

Does anyone have any advice on how to solve this issue?

So my vV6.0 Center Server Appliance disk filled up with log files.  I cleaned up the mess and am down to my final problem.

When logging in via the web interface, using the administrator@vsphere.local username and valid password, I get the "Unable to authenticate user. Please try again." message

The only error I can find in /var/log/vmware/applmgmt/vami.log:

2020-03-29T22:05:25.089 [4462]INFO:root:Processing request

2020-03-29T22:05:25.089 [4462]INFO:root:requestid=authenticate

2020-03-29T22:05:25.089 [4462]ERROR:root:Exception:'getpwnam(): name not found: administrator@vsphere.local'

The directory service is running:

vcappliance:~ # netstat -pln | grep 389

tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      5550/vmdird        

The following command works with the valid password:

vcappliance:~ # /usr/lib/vmware-vmafd/bin/dir-cli user find-by-name --account administrator --level 2 --login administrator@vsphere.local

Enter password for administrator@vsphere.local:

Account: administrator

UPN: Administrator@VSPHERE.LOCAL

Account disabled: FALSE

Account locked: FALSE

Password never expires: TRUE

Password expired: FALSE

Password expiry: N/A

Any ideas what is wrong?

Thanks.

Hello vCenter Community,

I've got a few questions that with your answers may help me with our problems.  The first area deals with the different login methods to vCenter and hosts.  The second issue deals with vulnerability scanning.

1.  Login Modes:

When I built out our VMware suite I had to use each of the three different login GUI's below to make all configurations and then you have Single Sign On.

Web Client

vSphere Client

VvCenter Server Appliance Management Interface :5480

Our IA or Cyber Security team has locked me down to using only the Single Sign On method using Windows Credentials through the vSphere Client. 

I'm trying to configure a system account for Tenable SC "Security Center" so that we can scan the VCSA 6.7 and ESXi hosts, but we're running into problems.

RESOURCES:

Tenable Knowledge Article 000001403

Tenable Community

The specific information is this:

If you are trying to perform a compliance scan against both the ESXi hosts and vCenter:

---All of the above apply

-Your scan policy must have VMware vCenter SOAP API Settings defined along with an uploaded audit file

-Your vCenter server must be specified in the target list

-Your scan policy must have VMware SOAP API Settings defined along with an uploaded audit file

-Your ESXi host IPs must be specified in the target list

To perform a successful compliance scan against VMware systems, users must have the following:

1. Administrative credentials for VMware vCenter or ESXi. (Tenable has developed APIs for both ESXi (the interface available for free to manage VMs on ESX/ESXi), and vCenter (an add-on product available from VMware at some cost to manage one or more ESX/ESXi servers). This plugin can leverage either ESXi or vCenter credentials to do its job.)

2. Audit policy for VMware vCenter/ESXi Compliance Checks.

3. Plugin ID #64455 (VMware vCenter/ESXi Compliance Checks)

######

QUESTIONS:

1.  Can Admin accounts set up for Tenable scanning using the vSphere Client HTML5 GUI Single Sign-On complete the scans successfully or is another login method required?

2.  Is the Web Client and  the "Management Interface :5480" login still required for managing configurations or can everything be done now from HTML 5 only?

3.  Since my Admin account is now ran through Windows Credentials how do I get my rights back "given that IA still wants me to run systems"?

I've been running into an issue in VCSA 6.7 using the HTML5 interface where I cannot change user passwords. I also discovered I cannot disable the user from that interface. I don't get any kind of error when I click on ok or when I click disable but there is also no output at all and the change is not made. When I use the FLEX interface I am able to make the changes as expected. I'm seeing the same behavior on two different linked VCSA servers - one version 6.7.0.20100 and another version 6.7.0.42100.

I have tried searching extensively for this both in the past and this morning but unfortunately almost all search results only pertain to the root user password.

Currently running vSphere 6.7 Update 3.  Need to remove client plugin for com.netapp.nvpf.webclient.  After an upgrade the plug-in is pointing to an incorrect url.  The url location is an old external update manager server which was decommed after migrating to the VCSA with embedded VUM.  Removed the extension for com.netapp.nvpf.webclient by going to https://vcenter_server/mob.

But, unable to disable the plugin.  The disable option is grayed out.  What would be the reason for this?

Hi folks,

I've been planning the upgrade of one of our 10 vCenters which has a bit of a unique conifguration but it is a supported configuration from VMware. I'm not finding any examples of upgrading all pieces so hoping for some insight.

Existing Config:

• 2 load balanced External PSC's behind an F5. Both are VCSA's at 6.5 build 9451637
• LB DNS namespace rather than a computer name
  • This is part of the process of incorporating the LB since you can't refer directly to computer name as is the case with Active/passive PSC's.
• 1 vCenter VCSA 6.5 build 9451637

Upgrade to Config:

• 1 VCSA with embedded PSC services at 6.7 build 15132721 (U3B)
• No more LB with F5

Seems simple enough but I don't know how to deal with the load balancer piece during upgrade and it the LB DNS namespace needs to be "imported" into the embedded PSC configurtion.

Any insights appreciated!

Ron

Hi!

I'm using VMware vCenter Server Appliance 6.5.0.5100.

Since few days, almost all my login are refused due to incorrect login/password, but I'm sure of my credentials!

Sometimes login is accepted and if I close session, then I'm sure I will not be able to connect again during 10-20 minutes...

When my login fail, nothing is logged vCenter Server, or in /var/log/vmware/sso/ssoAdminServer.log

First I thought the problem was due to my log partition which was 100% used. I cleaned log, now storage is fine but the problem remains...

Any idea to investigate this problem?

Best regards.

Hello,

I'm struggling adding a ESXi host back to my vCenter. The setup is a bit "exotic" but worked for months.

I've have my home lab and one single host I rent on the Internet for "disaster recovery".

All my hosts are (were) connected to the same vCenter (so all required ports are opened for that) - I'm not opening a discussion about the design.

After an Internet provider's problem, I was not able to reconnect the host, so I removed it from inventory to tried to add it back, but I wasn't able to.

vCenter and hosts are patched to the very last 6.7 version (VC: 15807714 and hosts: 15160138)

This is what I see from the vCenter, the task fails at 80% after the usual wizard (I can see all VMs during the wizard):

Ad this is what I see on the host:

What I've already tried so far :

* Rebooted my Internet box - Don't laugh, the provider is not rulled out from the issue. I had several strange things with it like not being to access the web console of the spoken host from home, but able to access it from my mobile!

* Removed the vpxuser from command line : the warning disappear during the process

* Rolled back a self signed certificate from the host, but after the wizard, it replaces it automatically by one from the VCMA (which is OK)

None of the above helped to get any further.

What I need first is to know where I need to search further something that can be relevant for me or for anyone that would like to help... Thanks in advance !

Hi,

I had the alert "system logs on host x.x.x.x are stored on non-persistant storage". I created a folder on each host called 'logfiles' and

set the path in advanced options. Logs are now populating this folder. How long before the alert goes away or do I need to reset it? Can't

see how I'd reset it.

...AR