VMware Cloud Community
burvil
Enthusiast
Enthusiast

Why am I getting these host compliance errors?

I am getting the following errors that show the host profile is out of compliance, and need help figuring out how to fix it. In the past, I would just update the host profile, maybe uncheck the boxes for these parameters. However, it seems doing that would reduce what I'd be getting from using the host profile. I also don't see why I'd be getting these errors, as the settings in the host profile aren't specific to a host.

The errors are:

Firewall Configuration: Ruleset esxupdate doesn't the specification

--> For this, I didn't configure anything with the firewall, either in ESXi nor in Vcenter, so I'm confused about why this would show up.

Virtual SAN Configuration: Virtual SAN host fault domain mismatch

--> This is user defined in the host profile, so I'm not sure why it's complaining about a mismatch. If it's user defined, wouldn't anything be fine?

Service Configuration: Service TSM doesn't meet the policy on

Service TSM-SSH doesn't meet the policy on

--> I thought these may have been because the shell and ssh was turned on for the source hypervisor when the host profile was created, but I didn't see anything in the host profile to support this.

Any thoughts on why I'm getting these compliance errors?

6 Replies
Dee006
Hot Shot
Hot Shot

Re: Compliance check error - Ruleset Fault tolerance doesn't match specification

Have you look at this old thread about the host profile ruleset message.

Reply
0 Kudos
Jimmy15
Enthusiast
Enthusiast

Your configurations are not as per Host Profile. make modifications either way to address compliance.

Regards

Pankaj Sharma


regards



PS: Mark kudos or correct answer as appropriate 🙂
Reply
0 Kudos
burvil
Enthusiast
Enthusiast

Pankaj,  the post you refer to seems to boil down to one of three options.


1. Remove the checks from the host profile

===========================================

These checks are general, and not relating to a specific host, i.e. it seems some things I would actually want the host profile to enforce.  For this reason, I'm leery of unchecking these from the host profile.

2. do the compliance check one or two more times, see if that fixes it

===========================================

Did this, still got the same result, i.e. the same errors that the Host is not in compliance with the attached profile.

3. if not, put the host in maintenance mode and do a new compliance check. Usually that fixes it for me.

===========================================

Did this, still got the same result, i.e. the same errors that the Host is not in compliance with the attached profile.

Also, I'm not quite sure, given the descriptions for these items in the host profile, how I would change settings on the host to bring it back in compliance.

Reply
0 Kudos
ThompsG
Virtuoso
Virtuoso

Hi burvil,

I'll assign numbers to each of the compliance issues if you don't mind.

1. Firewall Configuration: Ruleset esxupdate doesn't match the specification

2. Virtual SAN Configuration: Virtual SAN host fault domain mismatch

3. Service Configuration: Service TSM doesn't meet the policy on

Compliance issue #1 : this is relating to the Firewall section of the Security Profile frame within the client:

FirewallConfiguration.jpg

If you check Firewall configuration > Ruleset Configuration in the host profile vs. the Firewall section of the host you will notice a difference between the two. Possible that a scan was taking place when creating the profile or checking compliance which enabled this ruleset. Would need to see what is configured in the Host Profile vs. the Firewall on the host to confirm.

Compliance issue #3 : this relates to the Startup Policy of the TSM Service. It seems in the host profile that the TSM service is set to Start and stop with host which translates to on however on the host it is configured as below.

ServicesStartupPolicy.jpg

Default is to have this set to Start and stop with host, i.e. off - so that is what I would edit your host profile to be.

Compliance issue #2 : Probably thought I had forgotten about this one Smiley Wink Not being overly familiar with VSAN it's a bit hard to make a judgement. As you have it specified to be User Defined then it's likely I would go ahead and disable this portion of the host profile as you aren't controlling it currently.

Apologies if I have gone over old ground or misunderstood the question. Trust this helps.

Kind regards.

aparrna51193
Enthusiast
Enthusiast

when the host profile you are attached to the host has different configuration, then the compliance errors will be seen. You can apply the host profile to accept the changes. Once you apply host profile, changes will be applied.

Reply
0 Kudos
DDawg42
Contributor
Contributor

Correcting using Issue# 3 worked for me. One host was non-compliant due to services starting up with the Host. Changed to Manual and we are good.

Reply
0 Kudos