6 Replies Latest reply on Jan 23, 2018 8:23 AM by DDawg42

    Why am I getting these host compliance errors?

    burvil Novice

      I am getting the following errors that show the host profile is out of compliance, and need help figuring out how to fix it. In the past, I would just update the host profile, maybe uncheck the boxes for these parameters. However, it seems doing that would reduce what I'd be getting from using the host profile. I also don't see why I'd be getting these errors, as the settings in the host profile aren't specific to a host.

       

       

      The errors are:

      Firewall Configuration: Ruleset esxupdate doesn't the specification

      --> For this, I didn't configure anything with the firewall, either in ESXi nor in Vcenter, so I'm confused about why this would show up.

       

       

      Virtual SAN Configuration: Virtual SAN host fault domain mismatch

      --> This is user defined in the host profile, so I'm not sure why it's complaining about a mismatch. If it's user defined, wouldn't anything be fine?

       

       

      Service Configuration: Service TSM doesn't meet the policy on

      Service TSM-SSH doesn't meet the policy on

      --> I thought these may have been because the shell and ssh was turned on for the source hypervisor when the host profile was created, but I didn't see anything in the host profile to support this.

       

       

      Any thoughts on why I'm getting these compliance errors?

        • 1. Re: Why am I getting these host compliance errors?
          Dee006 Hot Shot
          vExpert

          Re: Compliance check error - Ruleset Fault tolerance doesn't match specification

           

          Have you look at this old thread about the host profile ruleset message.

          • 2. Re: Why am I getting these host compliance errors?
            Jimmy15 Enthusiast

            Your configurations are not as per Host Profile. make modifications either way to address compliance.

             

            Regards

            Pankaj Sharma

            • 3. Re: Why am I getting these host compliance errors?
              burvil Novice

              Pankaj,  the post you refer to seems to boil down to one of three options.


              1. Remove the checks from the host profile

              ===========================================

              These checks are general, and not relating to a specific host, i.e. it seems some things I would actually want the host profile to enforce.  For this reason, I'm leery of unchecking these from the host profile.

               

              2. do the compliance check one or two more times, see if that fixes it

              ===========================================

              Did this, still got the same result, i.e. the same errors that the Host is not in compliance with the attached profile.

               

              3. if not, put the host in maintenance mode and do a new compliance check. Usually that fixes it for me.

              ===========================================

              Did this, still got the same result, i.e. the same errors that the Host is not in compliance with the attached profile.

               

              Also, I'm not quite sure, given the descriptions for these items in the host profile, how I would change settings on the host to bring it back in compliance.

              • 4. Re: Why am I getting these host compliance errors?
                ThompsG Master

                Hi burvil,

                 

                I'll assign numbers to each of the compliance issues if you don't mind.

                 

                1. Firewall Configuration: Ruleset esxupdate doesn't match the specification

                2. Virtual SAN Configuration: Virtual SAN host fault domain mismatch

                3. Service Configuration: Service TSM doesn't meet the policy on

                 

                Compliance issue #1 : this is relating to the Firewall section of the Security Profile frame within the client:

                 

                FirewallConfiguration.jpg

                If you check Firewall configuration > Ruleset Configuration in the host profile vs. the Firewall section of the host you will notice a difference between the two. Possible that a scan was taking place when creating the profile or checking compliance which enabled this ruleset. Would need to see what is configured in the Host Profile vs. the Firewall on the host to confirm.

                 

                Compliance issue #3 : this relates to the Startup Policy of the TSM Service. It seems in the host profile that the TSM service is set to Start and stop with host which translates to on however on the host it is configured as below.

                ServicesStartupPolicy.jpg

                Default is to have this set to Start and stop with host, i.e. off - so that is what I would edit your host profile to be.

                 

                Compliance issue #2 : Probably thought I had forgotten about this one Not being overly familiar with VSAN it's a bit hard to make a judgement. As you have it specified to be User Defined then it's likely I would go ahead and disable this portion of the host profile as you aren't controlling it currently.

                 

                Apologies if I have gone over old ground or misunderstood the question. Trust this helps.

                 

                Kind regards.

                1 person found this helpful
                • 5. Re: Why am I getting these host compliance errors?
                  aparrna51193 Novice

                  when the host profile you are attached to the host has different configuration, then the compliance errors will be seen. You can apply the host profile to accept the changes. Once you apply host profile, changes will be applied.

                  • 6. Re: Why am I getting these host compliance errors?
                    DDawg42 Lurker

                    Correcting using Issue# 3 worked for me. One host was non-compliant due to services starting up with the Host. Changed to Manual and we are good.