VMware Cloud Community
BenConner
Contributor
Contributor
‎02-02-2014 07:25 AM
Jump to solution

Recent 5.1 upgrade knocked out vSphere client from accessing host

Hi,

I have 2 hosts managed by vCenter under 5.1.  I hadn't applied patches in a few months and decided to update them through the Update Manager.

After applying the patches to 1 host, I found I couldn't connect to it directly from the vSphere client.  Thought it was a fluke, so I applied patches to the 2nd host this morning and the same thing happened.  Good thing vCenter still works. Smiley Happy  These are production boxes.

The patches/updates I applied were:

ESXi510-201401103-SG

ESXi510-201401201-UG

ESXi510-201401203-UG

ESXi510-201401204-UG

ESXi510-201401205-UG

ESXi510-201401206-UG

ESXi510-201401207-UG

ESXi510-201401208-UG

ESXi510-201401101-SG

ESXi510-201401102-SG

ESXi510-201401202-SG

ESXi510-Update02

Anyone have any suggestions on how to correct this issue or find out which patch tanked the connectivity?

The error I'm getting back (which is immediate) is:

vSphere Client could not connect to "10.0.0.5".

An unknown connection error occurred. (The client could not send a complete request to the server. (The underlying connection was closed: An unexpected error occurred on a send.))

I've researched this in the KB and the usual steps they suggest didn't apply--I can ping the hosts, even access both via vCenter and log in with root.

Is it even possible to back out patch(es)?

--Ben

Tags (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
a_p_
Leadership
Leadership
‎02-02-2014 11:22 AM
Jump to solution

It's actually the "ESXi" part of the KB which you want to look at. The other parts are related to vCenter Server. According to this KB and several MS articles, there's no patch for the 32-bit XP edition, so modifying the ESXi host might be the only option.

André

View solution in original post

Reply
0 Kudos
10 Replies
a_p_
Leadership
Leadership
‎02-02-2014 07:32 AM
Jump to solution

I assume you didn't already update the vSphere Client? This is usually required if you install a new "Update xx" package.

André

Reply
0 Kudos
BenConner
Contributor
Contributor
‎02-02-2014 07:51 AM
Jump to solution

Oh dear.  No, I didn't realize that was also needed.  Will try it right now.  Thanks!

--Ben

Reply
0 Kudos
BenConner
Contributor
Contributor
‎02-02-2014 09:34 AM
Jump to solution

Hi André

This is interesting.  The workstation I'm on is an XP box; it had 4.0, 4.1 and 5.1 installed on it.  I uninstalled all versions and downloaded and installed the newest 5.1 client.  Same result--can't connect.

So I went to a Windows 7 box that never had the client installed on it, installed it, rebooted, and it can connect.  So at least I have a workaround.

Of course the obvious answer (for many reasons) is "stop using XP". Smiley Happy  Until I can migrate off of it, getting it to work would be preferable. I also noticed that it really didn't completely uninstall it; the history was still there of prior hosts I typically use when I brought up the client.

Anything else I can try?

--Ben

Reply
0 Kudos
a_p_
Leadership
Leadership
‎02-02-2014 09:45 AM
Jump to solution

Take a look at http://kb.vmware.com/kb/2049143. Although this article is written to vSphere 5.5, it may be the same with v5.1. You may try to see whether editing the ESXi host's config.xml will help. Btw. there's no need to uninstall vSphere Clients in order to install new ones, they can all co-exist.

André

Reply
0 Kudos
BenConner
Contributor
Contributor
‎02-02-2014 11:00 AM
Jump to solution

Looked at the kb article and I suspect this is the correct root cause; the newest updates require a current vSphere client, and that client now uses the Open SSL library which requires stronger cipher suites than XP supports.  The only wiggle room I can see on this is their wording 'configured by default' regarding the strength of the Open SSL cipher.  I don't know if the configuration is chosen at compile time of the vSphere client (which would be VMWare's call), or at execution time after installation on the workstation.


I found several openssl.exe copies installed at various times on the workstation by different programs, and some were in the path.  I renamed all of them to openssl.old but that didn't affect the result.  That suggests to me that the decision was done at compile time.


I wonder if there's any way to upgrade the cipher strength in XP to satisfy the Open SSL requirement?


--Ben

Reply
0 Kudos
BenConner
Contributor
Contributor
‎02-02-2014 11:02 AM
Jump to solution

Wait a minute; I see an alternate after re-reading the KB: I may be able to modify the vpxd.cfg in 5.1 to use a weaker cipher strength.  Looking at that now.


--Ben

Reply
0 Kudos
BenConner
Contributor
Contributor
‎02-02-2014 11:14 AM
Jump to solution

Hm.  IS there a vxpd.cfg in 5.1?  I'm not finding it.

--Ben

Reply
0 Kudos
a_p_
Leadership
Leadership
‎02-02-2014 11:22 AM
Jump to solution

It's actually the "ESXi" part of the KB which you want to look at. The other parts are related to vCenter Server. According to this KB and several MS articles, there's no patch for the 32-bit XP edition, so modifying the ESXi host might be the only option.

André

Reply
0 Kudos
BenConner
Contributor
Contributor
‎02-02-2014 11:45 AM
Jump to solution

Hi André

Bingo.  That was indeed the case.  Worked beautifully.  Now I can stop hyperventilating.  Smiley Wink

Thank you so very much!

--Ben

Reply
0 Kudos
ixobelle
Contributor
Contributor
‎07-11-2014 09:54 AM
Jump to solution

bingo:


http://support.microsoft.com/kb/948963


for anyone still googling around and landing here, this is the patch for the client machine to support the newer SLL libraries required by the new vsphere clients (link is for Windows 2003)

Reply
0 Kudos