10 Replies Latest reply on Jun 17, 2016 5:55 AM by cypherx

    Unable to scan hosts with Update Manager

    lvaibhavt Hot Shot

      Hi All,

       

      Here's description about my enviornment.

       

      I have a windows 2008 R2 DC. Named ---- DC01

      I have a Virtual Center. Names ------- VC01 (version 5.5)

      I have an external Databse server. Named ---- DB01 (Windows 2008 R2)

      I have an ESXi Host. Named --- esxi551 (version 5.5)

      I have a UMDS Server. Named --- umds (Windows 2008 R2)

       

      I configure umds and downloaded 5.5 patches only. I then created IIS repository.

      On my VC01 I have installed Update Manager. Connected the umds repository on the VUM and there was a green check connected. I then downloaded all the patches.

       

      I then created two baselines and put them in a baseline group. I attached esxi551 to the two created baselines.

      When I go for scan it returns an error

       

       

      I checked the log file and found

       

      2015-03-27T16:06:04.403+05:30 [02136 warning 'Ufa'] Empty WSDL root, failing

      2015-03-27T16:07:04.428+05:30 [06028 warning 'Ufa'] Empty WSDL root, failing

      2015-03-27T16:08:04.451+05:30 [05704 warning 'Ufa'] Empty WSDL root, failing

      2015-03-27T16:09:04.481+05:30 [01868 warning 'Ufa'] Empty WSDL root, failing

      2015-03-27T16:09:37.597+05:30 [05704 warning 'Locale'] Resource module 'HealthService' not found.

      2015-03-27T16:10:04.356+05:30 [01868 error 'Ufa.HTTPService'] Failed to read request; stream: <SSL(<io_obj p:0x02c09fb0, h:2084, <TCP '[::1]:8084'>, <TCP '[::1]:59371'>>)>, error: class Vmacore::SystemException(An established connection was aborted by the software in your host machine)

      2015-03-27T16:11:04.385+05:30 [02136 warning 'Ufa'] Empty WSDL root, failing

      2015-03-27T16:12:04.419+05:30 [05364 warning 'Ufa'] Empty WSDL root, failing

      2015-03-27T16:13:04.445+05:30 [06028 warning 'Ufa'] Empty WSDL root, failing

      2015-03-27T16:14:04.462+05:30 [05200 warning 'Ufa'] Empty WSDL root, failing

      2015-03-27T16:14:37.579+05:30 [05208 warning 'Locale'] Resource module 'HealthService' not found.

      2015-03-27T16:15:04.370+05:30 [05200 error 'Ufa.HTTPService'] Failed to read request; stream: <SSL(<io_obj p:0x0153f648, h:1864, <TCP '[::1]:8084'>, <TCP '[::1]:59013'>>)>, error: class Vmacore::SystemException(An established connection was aborted by the software in your host machine)

      2015-03-27T16:16:04.414+05:30 [05208 warning 'Ufa'] Empty WSDL root, failing

      2015-03-27T16:16:56.149+05:30 [02136 info 'VcIntegrity'] Connecting to host 10.1.1.3 on port 80 using protocol http

      -->

      2015-03-27T16:16:56.173+05:30 [02136 info 'VcIntegrity'] Authenticating extension by SSL certificate

      2015-03-27T16:16:56.184+05:30 [02136 info 'VcIntegrity'] Logged in!

      2015-03-27T16:16:56.208+05:30 [02136 info 'VcIntegrity'] ImpersonateUser user HOME\Administrator

      2015-03-27T16:17:04.436+05:30 [05704 warning 'Ufa'] Empty WSDL root, failing

      2015-03-27T16:17:13.331+05:30 [02136 info 'VcIntegrity'] Impersonated user!

      2015-03-27T16:17:13.346+05:30 [02136 info 'VcIntegrity'] Error on logout (ignored): vim.fault.NotAuthenticated

      2015-03-27T16:17:13.346+05:30 [02136 info 'vmomi.soapStub[1]'] Resetting stub adapter for server <cs p:00a097e0, TCP:10.1.1.3:80> : Closed

      2015-03-27T16:18:14.332+05:30 [05200 warning 'Ufa'] Empty WSDL root, failing

      2015-03-27T16:19:14.374+05:30 [05572 warning 'Ufa'] Empty WSDL root, failing

      2015-03-27T16:19:37.592+05:30 [05572 warning 'Locale'] Resource module 'HealthService' not found.

       

       

      Complete log file attached. Please suggest how to proceed.

       

       

       

       

      Thanks

      Vaibhav

        • 1. Re: Unable to scan hosts with Update Manager
          lvaibhavt Hot Shot

          any suggestions please !

          • 2. Re: Unable to scan hosts with Update Manager
            lvaibhavt Hot Shot

            the rules on the vc01 firewall are set to allowed

             

            firewall.PNG

            • 3. Re: Unable to scan hosts with Update Manager
              brunofernandez1 Expert

              the most common issue on the Update Manager is DNS.

              The esxi can't reach the VUM Server.

              Have a look on the log files of the esxi server: /var/log/esxupdate.log

              • 4. Re: Unable to scan hosts with Update Manager
                lvaibhavt Hot Shot

                2015-04-02T03:12:27Z esxupdate: root: INFO: Command = profile.setacceptance

                2015-04-02T03:12:27Z esxupdate: root: INFO: Options = {}

                2015-04-02T03:12:27Z esxupdate: BootBankInstaller.pyc: INFO: Unrecognized value "title=Loading VMware ESXi" in boot.cfg

                2015-04-02T03:12:27Z esxupdate: vmware.runcommand: INFO: runcommand called with: args = '['/sbin/bootOption', '-rp']', outfile = 'None', returnoutput = 'True', timeout = '0.0'.

                2015-04-02T03:12:27Z esxupdate: vmware.runcommand: INFO: runcommand called with: args = '['/sbin/bootOption', '-ro']', outfile = 'None', returnoutput = 'True', timeout = '0.0'.

                2015-04-02T03:12:27Z esxupdate: imageprofile: INFO: Adding VIB VMware_locker_tools-light_5.5.0-1.15.1623387 to ImageProfile (Updated) ESXi-5.5.0-20140302001-standard

                2015-04-02T03:12:27Z esxupdate: vmware.runcommand: INFO: runcommand called with: args = '['/sbin/esxcfg-advcfg', '-U', 'host-acceptance-level', '-G']', outfile = 'None', returnoutput = 'True', timeout = '0.0'.

                2015-04-02T03:12:27Z esxupdate: root: DEBUG: Finished execution of command = profile.setacceptance

                2015-04-02T03:12:27Z esxupdate: root: DEBUG: Completed esxcli output, going to exit esxcli-softwareinternal

                • 5. Re: Unable to scan hosts with Update Manager
                  ncolt Lurker

                  I fixed the same issue by enabling HA on the cluster affected

                  • 6. Re: Unable to scan hosts with Update Manager
                    gallycool Enthusiast

                    Hello Vibhav,

                     

                    Please check if the image installed on the host is customized image.

                     

                    We may not be able to update or scan for updates on a customized image.

                     

                    Please also let me know if this is the case with only one host or with all the hosts.

                     

                    Please also try a manual creating a baseline manually and add two new modules for test purpose and then try to attach only that baseline and try scanning for updates.

                     

                    Please let me know the results so that we can proceed.

                     

                    Thanks

                    sam

                    • 8. Re: Unable to scan hosts with Update Manager
                      cypherx Hot Shot

                      Did you ever get this resolved?

                       

                      I am having this issue with vCenter 6 update 2 and the Update Manager that is included on that ISO.

                       

                      I'm wondering what the solution is?  2 hours on the phone with VM support yesterday and going on another 2 hours today.  Not getting anywhere.  What do I pay support for?

                      • 9. Re: Unable to scan hosts with Update Manager
                        achaffman1 Lurker

                        Cypherx, did you get anywhere with VMWare support on this?  I'm seeing the same exact error and these errors on the VUM server:

                         

                        2016-06-16 14:15:46:264 'InventoryTree' 5448 ERROR]  [InventoryTree, 136] Timed out while acquiring the lock for host-34

                        [2016-06-16 14:15:46:264 'InventoryTree' 5448 WARN]  [InventoryTree, 1636] Failed to lock host-34; Timed out while acquiring the lock for host-34

                        [2016-06-16 14:15:46:264 'entityLocker' 5448 INFO]  [entityLocker, 77] Entities to be locked: 1, entities actually locked: 0

                        [2016-06-16 14:15:46:264 'VciRemediateTask.RemediateTask{45}' 5448 ERROR]  [vciTaskBase, 564] Task execution has failed: Failed to lock entities

                         

                        there has to be something that happened in 6u2 because i have other customers with 6u1 that work fine. 

                        • 10. Re: Unable to scan hosts with Update Manager
                          cypherx Hot Shot

                          You know what, it may have been a combination of things here.

                           

                          I seem to remember I could never get update mangaer to work on my PC in 5.0.  I always ran it from the Windows vCenter server itself.  But in 5.0 I though tit was because I had lower protocols disabled (SSL 3.0/2.0 for example), and I figured 5.0 was SSL3.

                           

                          So upgrade to 6.0, by now everything should be TLS, hopefully TLS 1.2.  However problem exists.  Saw the VUM firewall on an esxi host, disabled it, scanned fine - however I did this from the vCenter server itself.  I then tried it from my Windows 10 PC - didn't work at all.  It hung in both the C# client and Web client.  I was suprised it hung in web client because I would have though all my PC communication was going to the web interface on port 443, and then the webserver on vcenter server itself acted as a proxy and did all the communication to VUM.  I guess there is still something in VUM 6.0 that needs to talk directly to my machine.

                           

                          I took my PC out of its ordinary OU and ran a gpupdate /force.  This removes some of our windows firewall and SSL policies.  I was able to scan no problem.  I move my PC back into its OU and do another gpupdate.  Can no longer scan.  It seems to me it must be some security thing.  However if VUM just uses standard port 443, https TLS, there shouldn't be an issue.  I guess it uses more than that.  The next thing I'll have to do is get some wireshark captures between vcenter server and my PC.  I'll have to get a capture where it doesn't work and where it does work.

                           

                          When it doesn't work in wireshark I see alot of ISAKMP Unknown 243 and ISAKMP Identity Protection (Main Mode) traffic from my machine to vCenter server IP.  I know in our Windows Firewall GPO we have in it to try to secure all communications to lan endpoints, but its not a requirement.  I don't have this issue on my laptop when on VPN, which gets a different IP block.

                           

                          So bottom line is, I just wonder what kind of traffic is required, not just ports but protocols and in which direction... between the computer using vSphere web client update manager plugin OR the c# client update manager plugin and the VUM/vCenter server itself.  For now we have a workaround... just hop on the local vCenter server's console and run the c# client there (no I'm NOT installing flash on a server to use the web client).