Re: Unable to scan hosts with Update Manager

lvaibhavt · ‎03-27-2015

Hi All,

Here's description about my enviornment.

I have a windows 2008 R2 DC. Named ---- DC01

I have a Virtual Center. Names ------- VC01 (version 5.5)

I have an external Databse server. Named ---- DB01 (Windows 2008 R2)

I have an ESXi Host. Named --- esxi551 (version 5.5)

I have a UMDS Server. Named --- umds (Windows 2008 R2)

I configure umds and downloaded 5.5 patches only. I then created IIS repository.

On my VC01 I have installed Update Manager. Connected the umds repository on the VUM and there was a green check connected. I then downloaded all the patches.

I then created two baselines and put them in a baseline group. I attached esxi551 to the two created baselines.

When I go for scan it returns an error

I checked the log file and found

2015-03-27T16:06:04.403+05:30 [02136 warning 'Ufa'] Empty WSDL root, failing

2015-03-27T16:07:04.428+05:30 [06028 warning 'Ufa'] Empty WSDL root, failing

2015-03-27T16:08:04.451+05:30 [05704 warning 'Ufa'] Empty WSDL root, failing

2015-03-27T16:09:04.481+05:30 [01868 warning 'Ufa'] Empty WSDL root, failing

2015-03-27T16:09:37.597+05:30 [05704 warning 'Locale'] Resource module 'HealthService' not found.

2015-03-27T16:10:04.356+05:30 [01868 error 'Ufa.HTTPService'] Failed to read request; stream: <SSL(<io_obj p:0x02c09fb0, h:2084, <TCP '[::1]:8084'>, <TCP '[::1]:59371'>>)>, error: class Vmacore::SystemException(An established connection was aborted by the software in your host machine)

2015-03-27T16:11:04.385+05:30 [02136 warning 'Ufa'] Empty WSDL root, failing

2015-03-27T16:12:04.419+05:30 [05364 warning 'Ufa'] Empty WSDL root, failing

2015-03-27T16:13:04.445+05:30 [06028 warning 'Ufa'] Empty WSDL root, failing

2015-03-27T16:14:04.462+05:30 [05200 warning 'Ufa'] Empty WSDL root, failing

2015-03-27T16:14:37.579+05:30 [05208 warning 'Locale'] Resource module 'HealthService' not found.

2015-03-27T16:15:04.370+05:30 [05200 error 'Ufa.HTTPService'] Failed to read request; stream: <SSL(<io_obj p:0x0153f648, h:1864, <TCP '[::1]:8084'>, <TCP '[::1]:59013'>>)>, error: class Vmacore::SystemException(An established connection was aborted by the software in your host machine)

2015-03-27T16:16:04.414+05:30 [05208 warning 'Ufa'] Empty WSDL root, failing

2015-03-27T16:16:56.149+05:30 [02136 info 'VcIntegrity'] Connecting to host 10.1.1.3 on port 80 using protocol http

-->

2015-03-27T16:16:56.173+05:30 [02136 info 'VcIntegrity'] Authenticating extension by SSL certificate

2015-03-27T16:16:56.184+05:30 [02136 info 'VcIntegrity'] Logged in!

2015-03-27T16:16:56.208+05:30 [02136 info 'VcIntegrity'] ImpersonateUser user HOME\Administrator

2015-03-27T16:17:04.436+05:30 [05704 warning 'Ufa'] Empty WSDL root, failing

2015-03-27T16:17:13.331+05:30 [02136 info 'VcIntegrity'] Impersonated user!

2015-03-27T16:17:13.346+05:30 [02136 info 'VcIntegrity'] Error on logout (ignored): vim.fault.NotAuthenticated

2015-03-27T16:17:13.346+05:30 [02136 info 'vmomi.soapStub[1]'] Resetting stub adapter for server <cs p:00a097e0, TCP:10.1.1.3:80> : Closed

2015-03-27T16:18:14.332+05:30 [05200 warning 'Ufa'] Empty WSDL root, failing

2015-03-27T16:19:14.374+05:30 [05572 warning 'Ufa'] Empty WSDL root, failing

2015-03-27T16:19:37.592+05:30 [05572 warning 'Locale'] Resource module 'HealthService' not found.

Complete log file attached. Please suggest how to proceed.

Thanks

Vaibhav

lvaibhavt · ‎03-30-2015

any suggestions please !

lvaibhavt · ‎03-30-2015

the rules on the vc01 firewall are set to allowed

brunofernandez1 · ‎03-31-2015

the most common issue on the Update Manager is DNS.

The esxi can't reach the VUM Server.

Have a look on the log files of the esxi server: /var/log/esxupdate.log

------------------------------------------------------------------------------- If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards from Switzerland, B. Fernandez http://vpxa.info/

lvaibhavt · ‎04-02-2015

2015-04-02T03:12:27Z esxupdate: root: INFO: Command = profile.setacceptance

2015-04-02T03:12:27Z esxupdate: root: INFO: Options = {}

2015-04-02T03:12:27Z esxupdate: BootBankInstaller.pyc: INFO: Unrecognized value "title=Loading VMware ESXi" in boot.cfg

2015-04-02T03:12:27Z esxupdate: vmware.runcommand: INFO: runcommand called with: args = '['/sbin/bootOption', '-rp']', outfile = 'None', returnoutput = 'True', timeout = '0.0'.

2015-04-02T03:12:27Z esxupdate: vmware.runcommand: INFO: runcommand called with: args = '['/sbin/bootOption', '-ro']', outfile = 'None', returnoutput = 'True', timeout = '0.0'.

2015-04-02T03:12:27Z esxupdate: imageprofile: INFO: Adding VIB VMware_locker_tools-light_5.5.0-1.15.1623387 to ImageProfile (Updated) ESXi-5.5.0-20140302001-standard

2015-04-02T03:12:27Z esxupdate: vmware.runcommand: INFO: runcommand called with: args = '['/sbin/esxcfg-advcfg', '-U', 'host-acceptance-level', '-G']', outfile = 'None', returnoutput = 'True', timeout = '0.0'.

2015-04-02T03:12:27Z esxupdate: root: DEBUG: Finished execution of command = profile.setacceptance

2015-04-02T03:12:27Z esxupdate: root: DEBUG: Completed esxcli output, going to exit esxcli-softwareinternal

ncolt · ‎07-07-2015

I fixed the same issue by enabling HA on the cluster affected

gallycool · ‎07-08-2015

Hello Vibhav,

Please check if the image installed on the host is customized image.

We may not be able to update or scan for updates on a customized image.

Please also let me know if this is the case with only one host or with all the hosts.

Please also try a manual creating a baseline manually and add two new modules for test purpose and then try to attach only that baseline and try scanning for updates.

Please let me know the results so that we can proceed.

Thanks

sam

DanielOprea · ‎07-08-2015

Hi,

Please review the configuration of UDMS and connectivity between VUM and UDMS.

Please look to this KB:

VMware KB: Automating patch downloads for VMware vCenter Update Manager servers that do not have an ...

or

Install and Configure Update Manager Download Service

Regards

Daniel

PLEASE CONSIDER AWARDING any HELPFUL or CORRECT answer. Thanks!!
Por favor CONSIDERA PREMIAR cualquier respuesta ÚTIL o CORRECTA. ¡¡Muchas gracias!!
Blogs: https://danieloprea.blogspot.com/

cypherx · ‎06-14-2016

Did you ever get this resolved?

I am having this issue with vCenter 6 update 2 and the Update Manager that is included on that ISO.

I'm wondering what the solution is? 2 hours on the phone with VM support yesterday and going on another 2 hours today. Not getting anywhere. What do I pay support for?

achaffman1 · ‎06-16-2016

Cypherx, did you get anywhere with VMWare support on this? I'm seeing the same exact error and these errors on the VUM server:

2016-06-16 14:15:46:264 'InventoryTree' 5448 ERROR] [InventoryTree, 136] Timed out while acquiring the lock for host-34

[2016-06-16 14:15:46:264 'InventoryTree' 5448 WARN] [InventoryTree, 1636] Failed to lock host-34; Timed out while acquiring the lock for host-34

[2016-06-16 14:15:46:264 'entityLocker' 5448 INFO] [entityLocker, 77] Entities to be locked: 1, entities actually locked: 0

[2016-06-16 14:15:46:264 'VciRemediateTask.RemediateTask{45}' 5448 ERROR] [vciTaskBase, 564] Task execution has failed: Failed to lock entities

there has to be something that happened in 6u2 because i have other customers with 6u1 that work fine.

cypherx · ‎06-17-2016

You know what, it may have been a combination of things here.

I seem to remember I could never get update mangaer to work on my PC in 5.0. I always ran it from the Windows vCenter server itself. But in 5.0 I though tit was because I had lower protocols disabled (SSL 3.0/2.0 for example), and I figured 5.0 was SSL3.

So upgrade to 6.0, by now everything should be TLS, hopefully TLS 1.2. However problem exists. Saw the VUM firewall on an esxi host, disabled it, scanned fine - however I did this from the vCenter server itself. I then tried it from my Windows 10 PC - didn't work at all. It hung in both the C# client and Web client. I was suprised it hung in web client because I would have though all my PC communication was going to the web interface on port 443, and then the webserver on vcenter server itself acted as a proxy and did all the communication to VUM. I guess there is still something in VUM 6.0 that needs to talk directly to my machine.

I took my PC out of its ordinary OU and ran a gpupdate /force. This removes some of our windows firewall and SSL policies. I was able to scan no problem. I move my PC back into its OU and do another gpupdate. Can no longer scan. It seems to me it must be some security thing. However if VUM just uses standard port 443, https TLS, there shouldn't be an issue. I guess it uses more than that. The next thing I'll have to do is get some wireshark captures between vcenter server and my PC. I'll have to get a capture where it doesn't work and where it does work.

When it doesn't work in wireshark I see alot of ISAKMP Unknown 243 and ISAKMP Identity Protection (Main Mode) traffic from my machine to vCenter server IP. I know in our Windows Firewall GPO we have in it to try to secure all communications to lan endpoints, but its not a requirement. I don't have this issue on my laptop when on VPN, which gets a different IP block.

So bottom line is, I just wonder what kind of traffic is required, not just ports but protocols and in which direction... between the computer using vSphere web client update manager plugin OR the c# client update manager plugin and the VUM/vCenter server itself. For now we have a workaround... just hop on the local vCenter server's console and run the c# client there (no I'm NOT installing flash on a server to use the web client).