Hello,

I have two vcenters both running 6.5  on vcenter 1 my vcsa failed to hold the network adapter in an HA setup.

So I installed a new vcsa 6.7 moved my hosts over and was up and running.  Need to setup HA later on 6.7.

My problem was my Veeam jobs would not run since it was looking for the original VCSA.

I deleted all the Veeam jobs and recreated them pointing to the new VCSA all working again.

I am wondering if there is a better way for my second vcenter

I reviewed articles about the upgrade process and I see it creates a new vcsa and the old vcsa get deleted after the upgrade process completes.

Problem is this is almost like a new install and my Veeam server on vcenter 2 will not see the old vcsa name.

Is there a way to upgrade and keep the same name?

Thanks

Tom

Good Afternoon,

I am seemingly at a loss as to why my VM will not Power on after enabling FT. I receive the entry "The VM failed to resume on the destination during early power on". My datastores are connected to a NAS, I am using VCSA and 6.7. The "error Details" only state Launch failure. IF there is anywhere I can begin to check to determine why the Fault Tolerant machine will not power-on I would appreciate it. Creating a new virtual machine and repeating the process did not resolve the issue.

Hi all,

For over a week now, I've been trying to deploy vCSA-6.7 from the .OVA file with VMware Workstation Pro 15 on my debian laptop. Lenovo t460s w/20GB of RAM and 500GB SSD. Not the fastest machine but enough to run a mini virtualized vSphere lab.

Current network setup:

1. VMware workstation /dev/vmnet1: Host only network, no DCHP needed, in it a DNS server, ESXi host and a vCSA appliance that I'll import to this network.

2. DNS installed as one of the VMs (debian/bind9) running in VMware Workstation

     - I can nslookup the FQDN of the vCSA from the ESXi 6.7 VM that is also on the same subnet.

     - I can reverse nslookup the IP, which resolves in the FQDN of the target vCSA machine.

3. I followed https://masteringvmware.com/how-to-install-vcsa-6-7-in-vmware-workstation-step-by-step/  and adapted the settings for my local config private domain.

4. After the OVA import the VM automatically launches and I instantly kill it to get it in the correct the network adapter settings so that it is in the same subnet as the DNS server and ESXi host (/dev/vmnet1 host only private network)

5. I SSH to the DNS server (same subnet, again) and tail /var/log/syslog to look for (r)DNS queries the vCSA setup procedure I would expecteand to do at some point in time and ping the IP address of the vCSA that should appear at some point in time but ... nothing. No ICMP reply, no DNS queries.

6. The last useful thing the  'physical' console of the vCSA appliance shows is several times stopping/starting DCUI (not an eternal loop but ~7 times)

7. blinking cursor on black screen.

8. It's been sitting still now for over an hour of virtually (pun intended) no CPU usage on the host.

What am I overlooking here?

Per the walkthroughs I've watched and the documentation here (Transferring Data from an Existing vCenter Server Appliance), I know that you can choose to import the performance data in the background after the VCSA appliance is built and the identity, including IP address, is transferred over.  When the Migration Assistant is exporting the data in the first place, I made the assumption that vCenter is up and running during that time.  Is that true?  I have a very large database (>500GB) and the estimation tool for the vCenter 6.5 upgrade (VMware Knowledge Base) puts the export time at 9.5 hours so I wanted to be prepared if it was going to be down for the entire export process.

Thank you!

Troy

hi,

we recently upgraded our env (2 psc + 2 vc in linked mode) from 6.5u2 with external psc to 6.7u3 and then convereged the psc into the vc.

now i have issues with the certificates of the vc servers that still show the old psc's in the certificate, thus creating sso problems with vrops (even after i replaced the authentication source to point to the vc's), and i cannot login the vrops using sso (only with admin@vsphere...)

i want to know my options.

do i live like this and just swallow the frog?

should i replace the certificates with new self signed internal one?

should i generate certificate using our company internal CA (ad ca service)?

anything else?

thanks

mordechai

Hi. I have been trying to determine why a couple of my VCSA v6.5U3 appliances take several hours to VAMI backup. The DB is actually not that big at all. The final backup size is only about 4GB.

Doing some research I stumbled on some other threads that had huge space issues and how they truncated a couple of vpostgres tables.

The tables are.

vc.vpx_text_array

vc.vpx_task

We have the default level 1 statistics and the default 30 day tasks and events retention.

I wanted to test so I restored the VCSA backup to an isolated environment.

I truncated both tables and my backups run in minutes.

The problem is I am not sure what those tables exactly are. I assume the 2nd one is all the tasks, and I guess it wipes all the saved tasks no matter what the retention is. I have no idea what the first one.

I will of course open a ticket with VMware before I proceed in PROD, but I wanted to know what exactly those two tables are and if there are any downsides people experienced if they truncated these as well before I open a ticket with support.

Thanks,,,

I migrated to external PSC to 6.7u3 before attempting to do the same for vCenter itself. I keep getting an error at Starting VMware Authentication Framework. The Error that comes up is:

Failed to force refresh TRUSTED_ROOTS Error 183

DNS is working. I can ping the host name of the vcenter server, and its alias, they both come back as responsive.

Here are the error logs from the migration assistant:

error file:

No file found matching /etc/vmware/install-defaults/cm.url

No file found matching /etc/vmware-vpx/vcdb.properties

No file found matching /etc/vmware-vpx/vc-extn-cisreg.prop

error-ignored file:

No file found matching /var/log/analytics/*

No file found matching /etc/vmware/vmware-analytics/*

No file found matching /etc/vmware/vmware-analytics/agents/*

No file found matching /var/log/vmware/analytics/*

No file found matching /var/log/vmware/applmgmt/cli/*

No file found matching /storage/applmgmt/backup_restore/*

No file found matching /var/log/vmware/vmware-bigsister.data*

No file found matching /var/log/firstboot/certificatemanagement_firstboot*.log

No file found matching /var/log/vmware/certificatemanagement/*

No file found matching /var/log/vmware/cm/*

No file found matching /var/log/vmware/cm/firstboot/*

No file found matching /etc/vmware\vmware-eam\dbmigrate

No file found matching /etc/vmware\vmware-eam\catalina.properties

No file found matching /etc/vmware\vmware-eam\eam.properties

No file found matching /etc/vmware\vmware-eam\eam-vim.properties

No file found matching /etc/vmware\vmware-eam\features.json

No file found matching /etc/vmware\vmware-eam\features.properties

No file found matching /etc/vmware\vmware-eam\log4j.properties

No file found matching /etc/vmware\vmware-eam\logging.properties

No file found matching /etc/vmware\vmware-eam\version

No file found matching /etc/vmware\vmware-eam\firstboot\eamspec.properties

No file found matching /etc/vmware\vmware-eam\firstboot\extension\extension.xml.installer

No file found matching /var/log\eam

No file found matching /var/log/firstboot/imagebuilder*

No file found matching /etc/vmware/vmware-imagebuilder/

Cmd "/usr/lib/vmware-imagebuilder/bin/cmdlets.py --dump-database" failed with exit code 1

Cmd "/usr/lib/vmware-cm/bin/cmlookup -Dcm.url=http://localhost:18090/cm/sdk -Dprop=/usr/lib/vmware-cm/conf/cm.properties -Dlookup=all -Dcm.conn.attempts=1" failed with exit code 1

No file found matching /var/log/vmware/vmware-mbcs/*

No file found matching /var/log/vmware/mbcs/*

No file found matching /var/log/mbcs/*

No file found matching /var/log/vmware/netdumper/*

No file found matching /var/core/netdumps/*

No file found matching /var/log/vsphere-client/

No file found matching /var/log/vmware/perfcharts/*

No file found matching /var/log/perfcharts/*

No file found matching /etc/vmware-pod/ssl/rui.crt

No file found matching /var/log/rhttpproxy/*

No file found matching /etc/vmware-rhttpproxy/pc.properties

No file found matching /etc/vmware/vmware-rhttpproxy/endpoints.conf.d/*

No file found matching /etc/vmware/vmware-rhttpproxy/config.xml

No file found matching /etc/vmware/vmware-rhttpproxy/pc.properties

No file found matching /var/log/vmware/sca/*

No file found matching /usr/lib/vmware-sca/wrapper/conf/*

No file found matching /etc/vmware-sca/services/*

No file found matching /etc/vmware-sca/health/*

No file found matching /var/log/vmware/vmware-sps/*

No file found matching /var/log/vmware/applmgmt/StatsMonitor*

No file found matching /etc/crontab

No file found matching /etc/cron.monthly/*

No file found matching /etc/modprobe.conf*

No file found matching /etc/hosts.deny

No file found matching /var/log/boot*

No file found matching /var/log/secure*

No file found matching /var/log/sa/*

No file found matching /var/log/vmware/vami/*

No file found matching /var/log/.*

No file found matching /var/sa/*

Cmd "/usr/bin/journalctl -b -1" failed with exit code 1

Cmd "/usr/bin/journalctl -b -2" failed with exit code 1

No file found matching /var/log/commit/*

No file found matching /var/log/cloudvm/*

No file found matching /var/log/restore/*

No file found matching /var/log/prefreeze/*

No file found matching /var/log/postthaw/*

Error running command $VMWARE_CIS_HOME\bin\service-control.bat --status --all

No file found matching /var/log/vmware/vSphere-TlsReconfigurator/*

No file found matching /var/log/firstboot/topologysvc_firstboot*.log

No file found matching /var/log/vmware/topologysvc/*

No file found matching /etc/vmware/vmware-vapi/*

No file found matching /var/log/vapi

No file found matching /storage/vcha/

Cmd "/usr/lib/vmware-vcha/scripts/vcha-vc-support peer" failed with exit code 1

Cmd "/usr/lib/vmware-vcha/scripts/vcha-vc-support witness" returned no information, don't collect file commands/vcha-vc-support_witness.tgz for this cmd.

Cmd "/usr/lib/vmware-content-library/support/dump-content-library-thread.sh" failed with exit code 1

No file found matching /var/log/vmware/vpxd/vlf

No file found matching /var/log/vmware/vpxd/vlf-ts

No file found matching /var/log/vmware-vpx/vlf

No file found matching /var/log/vmware-vpx/vlf-ts

No file found matching /var/log/vmware-vmafd/*.log

No file found matching /var/log/vmware-vmca/*.log

No file found matching /var/log/vmware-vmdns/*.log

No file found matching /var/log/syslog.*

No file found matching /var/log/vmware/vmca/*

No file found matching /var/log/vmware/vmdns/*

No file found matching /var/log/vmware/vmcad/*

No file found matching /var/log/certificate-manager.log

No file found matching /var/log/vmware/vmdird/*

No file found matching /var/log/vmware/vmdnsd/*

No file found matching /var/log/vmafdd/*

No file found matching /var/log/vmca/*

No file found matching /var/log/vmdird/*

No file found matching /var/log/vmdns/*

No file found matching /usr/lib/vmware-vmafd/share/config/vmafd.reg

No file found matching /usr/lib/vmware-vmca/share/config/vmca.reg

No file found matching /usr/lib/vmware-vmdns/share/config/vmdns.reg

Error running command reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VMwareAfdService /s

Error running command reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VMwareDNSService /s

Cmd "/opt/likewise/bin/lwregshell ls HKEY_THIS_MACHINE\services\vmdns\parameters" failed with exit code 252

No file found matching /var/log/firstboot/vmcam-firstboot*.log

No file found matching /var/log/vmware-vmcam/*.log

No file found matching /var/log/syslog.*

No file found matching /var/log/vmware/vmcam/*

No file found matching /var/log/vmware/vmcamd/*

No file found matching /var/log/vmcamd/*

No file found matching /storage/vmware-vmon/*

No file found matching /var/log/vmon/

Cmd "/bin/vicfg-snmp --test" failed with exit code 1

Cmd "/bin/df -h /var/spool/snmp" failed with exit code 1

No file found matching /etc/vmware-vpx/ssl/rui.crt

No file found matching /etc/vmware-vpx/ssl/vcsoluser.crt

Cmd "/usr/bin/python /usr/lib/vmware-vpx/py/collect_vpxd_log.py" returned no information, don't collect file var/log/vmware/vpxd/vpxdLogFromCustomDir.tgz for this cmd.

No file found matching /var/log/vmware/journal/*

No file found matching /var/core/core.vpxd*

No file found matching /var/log/vmware/vctop/

No file found matching /etc/vmware-vpxd-svcs/ssl/invsvc.crt

No file found matching /usr/lib/vmware-vpxd-svcs/wrapper/conf/*

No file found matching /var/log/vmware/vsan-dps/*

No file found matching /var/log/vmware/vsan-health/*

Cmd "python /usr/lib/vmware-vpx/vsan-health/vsan-vc-health-status.py cluster-health" failed with exit code 1

No file found matching /etc/vmware\vmware-vsm

No file found matching /var/log\vsm

No file found matching /var/log/vsphere-ui/

Cmd "python /usr/lib/vmware-vpx/vsan-health/vsan-vc-health-status.py rvc-basic-support-information" failed with exit code 1

Cmd "/bin/rpm -qa --verify" failed with exit code 1

I am trying to configure ldaps to my DCs in vcenter 6.7

Am I only able to specify one controller since it can take only one cert in the settings?

Hi to All

I want to config Vcenter HA but when click 'SETUP VCENTER HA' get this error:

"The object ManagedObjectReference has already been deleted or has not been completely created"

vcenter 6.7.0 42000

3 esxi host 6.7

can anyone one help?

thanks.

Hello,

I want to install VCenter but i have not DNS and no Gateway. It's a full private network with Virtual Machines in Workgroup. The industrial software which will be installed doesn't not support Domain.

What should I put in the Following fields in my case :

- Default Gateway :

- DNS Server

Thanks

Hi Gems,

Unable to update the  VCSA  form VAMI . Can anyone face this ?

I generated a CSR through the vCenter web interface (Administration>Certificate Management>Machine SSL Certificate>Actions>Generate CSR). I submitted the csr and got the certificate back, but I need the private key file. Can anyone tell me where on the vcenter server the csr generation process would have put that by default? Most of the documentation I've seen is for the certificate manager command and uses a switch for the file location, but there isn't much documentation for the web client.

Thanks.

Anyone know why a 6.7 vCenter appliance would fail to accept new solution user certificates in both the UI and the CLI (Certificate-Manager)?

Specifics:

- 6.7U3C vCenter appliance in Enhanced-Linked mode

- Machine SSL certificate replaced without issue

- The VPXD, VPDX-extension, machine, and vsphere-webclient certificates will not replace

- There are no wild cards in the certificates [SANs or CNs, etc.]

- All of the vCenters in the environment have the same certificate templates and are the same, but they were upgraded to 6.7. This one is new.

The certificates were generated using open-ssl.

The template uses 4096, what should be the proper enhanced attributes, includes the corresponding type in the CN [e.g. machine-FQDN, VPXD-FQDN, etc.].

This is really odd.

GB

Whenever I try to connect to our VCentre server the first time it always fails. It's a virtual appliance which was upgraded from V5 to V6.0 about a year ago (not by me). The first time I try to connect to it with my browser (any one - I have tried a few) I ALWAYS just get a spinning wheel. I end up having to close the browser window, and try again. It always works the second time. When I say 'the first time' I don't mean 'the first time I try on any given day', I mean the first time I open a browser and try to connect. If I close my browser, and then need to log in again later in the day, the same thing happens. The same thing is starting to happen with VMs - quite often I will try to RDP to a VM and nothing happens. I close the RDP client and try again and it works. We are also getting issues where Veeam One regularly loses it's connection.

I'm a bit of a know-nothing as far as Vmware is concerned, so can anyone give me some hints as to where I should be looking to resolve this?

Hi,

Our vCenter 6.7 appliance has been running fine for a few months. Since today though, SSO users can't login.

(SSO identity source is LDAP, which seems to be running OK)

When I try to investigate.

- I can login to the server on port 5480 as Administrator@vsphere.local OK, and the dashboard for SSO, only says 'vsphere.local' and Status 'Running', and no options to edit.

- But when I try to login to the vSphere UI as Administrator@vsphere.local  to check if I have lost my SSO settings, I get this error.

A server error occurred.

[400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: Status: urn:oasis:names:tc:SAML:2.0:status:Responder, sub status: urn:oasis:names:tc:SAML:2.0:status:RequestDenied.

Check the vSphere Web Client server logs for details.

Shouldn't I be able to login as the local administrator ? even without a SSO service - what am I doing wrong ?

I can login to the appliance as root via ssh, but not sure which are the relevant logs

Thanks

We are planning vSphere farm upgrade from 6.0U2 to 6.7U2 or higher. currently,there are 3 vcneter instances (3sites) with all external PSC joined one single SSO domain that allows enhanced linked mode.

what will be the upgrade sequence of different sites (PSC,vCenter,SRM).our ultimate goal is to get rid of external PSC and upgrade to embedded PSC with vCenter for all sites without loosing linked mode feature

Hello,

The Mac OSX Catalina impose new rules on the certificates and/or Google Chrome.

When using Chrome i get a NET::ERR_CERT_REVOKED, and i can't override. If using Safari or Firefox it works.

i've added the Root CA in the osx trusted list, but still Chrome refuse to obey. (yes, there is a hack in chrome to bypass but its not nice)

anyhow: my actual question is, can i regenerate the root ca, with all the rules imposed by Catalina?

looking around the vcenter i can generate the root ca on another machine, then import it in the Certificate Manager, and hopefully it will propagate and the re-issue all the esxi certs.

it should work?

A nicer way would be that at the next vcenter upgrade (ah i'm using 6.5 latest update in 2019) to include this process (i think)

would an upgrade to vcenter 6.7 solve this issue?

The certif rules are:

"Apple has introduced a series of new requirements for SSL certificates to be accepted by Catalina, documented at https://support.apple.com/en-us/HT210176. To summarize here:

• Key size must be at least 2048 bits.
• Hash algorithm must be SHA-2 or newer.
• DNS names must be in a SubjectAltName, not in the CN field only.

For certificates issued after 2019-07-01:

• The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
• The validity period may not be longer than 825 days."

Cheers and a Happy New Year!!!!

Ciprian

I have two vCenter servers and I am in the middle of consolidating down to one. I have roughly 20 VMs left to move.

Source vCenter is 6.5.0.30000

Target vCenter is 6.7.0.40000

They are on completely separate hardware in different datacenters, safe for one common LUN.

My process in the past has been to move the VM to the shared LUN, unregister from the source vCenter and reregister on the target vCenter. Once there, I power up the VM, fix any networking issues and storage vMotion the guest to the desired location.

I am running into issues after the re-register where I cannot move the VM to other storage (Failed waiting for data. Error 195887107) or am unable to power on the VM (NVRAM: open failed: incorrect version.)

VMWare support has been less than helpful.... to say the least.

Am I doing something that SHOULD work? I have had success using the Cross vCenter vMotion FLING and cloning the VM from a powered off state, but it would speed the process up immensely if the method I outlined above would work.

I appreciate any feedback that could help.

"Check the network settings and make sure you have network access to the identity source."

Backstory:

I opened a ticket with vmware support on 1/31/2020 because "something" was logging into 4 out of 6 esxi hosts in my DR cluster, and it was failing. The error is "Cannot login administrator@vsphere.local@(IP of our DR Veeam NAS repository)", and happens every 2 to 3 minutes.

I opened a ticket with Veeam; they can't find the issue. Opened a ticket with vmware; they can't find the issue.

In the meantime, something *else* went wrong on the 20th; my DR cluster (the one getting the failed login attempts) lost all its permissions except for administrator@vsphere.local. Yet the production VCSA has all it's permissions in tact. So if I log in as myself, I *only* see the production datacenter; if I log in as administrator@vsphere.local, I see both production and DR datacenters.

Current Story:

And now, the subject of this post: now when we try to add an identity source, the get the error "Check the network settings and make sure you have network access to the identity source."

BUT: when I putty into both the VCSAs, I can ping all our domain controllers, all the esxi hosts, and the other vcsa. No issues; no dropped packets.

Doesn't matter what version of identity source we try to add (AD, AD over LDAP, LDAP), we get the same error.

• We've upgraded both VCSAs to the latest (6.7.0.42100), with no changes.
• Both VCSAs are joined to our domain.
• The SSO domain is NOT the same name as our domain.

It seems like the answer is going to be soooo simple...but nobody seems to be able to find it.

Any ideas? Or hints?

We are scanning our VCSA v6.7 with Tenable using SOAP and are getting hits against various packages within Photon. However, the available patches from VMware seem to be woefully behind the vulnerability publication dates. I'm looking on VMware vCenter Server Appliance Photon OS Security Patches for what's available. Case in point: Tenable plugin 132526 is complaining that postgresql-9.6.14-1.ph1 should be at postgresql-9.6.14-2.ph1; however, looking at the VMware link above, the latest version of postgresql was 9.6.14-1 released on 5 December 2019 in build 15132721. Per Tenable, this vulnerability was identified/published back on 29 October 2019. Seems like v9.6.14-2 would've made the cut for that build but if nothing else, would have been included in a subsequent release (the last being 30 January 2020).  We've found info online about updating individual packages using tdnf; however, this is an overly arduous process especially since the VCSA in question has no Internet access (or more accurately, its repo doesn't). It would be much more desirable for VMware to release this patches in their update bundles. Am I missing something here? Thanks