Biddles
Contributor
Contributor

iaas-service is blank and get http 502 error in Infrastructure page.

Jump to solution

I install VCAC 6.2 on Windows2012R2 and MSSQL2012SP1

There is no error when I install iaas.

Then:

When I check https://va:5480. The issa-service status is blank.

When I chekc https://va/component-registry/services/status/current. And I get below information


Exception during remote status retrieval for url: https://iaas/WAPI/api/status. Error Message I/O error on GET request for "https://iaas/WAPI/api/status":Connection reset; nested exception is java.net.SocketException: Connection reset.


And When I check https://iaas/WAPI/api/status. I can get correct information.

So, how can I track this error.

Thanks.

1 Solution

Accepted Solutions
Aronov
VMware Employee
VMware Employee

Hi,

I think have seen a similar issue.

In my case the problem was that the VA was requesting TLS 1.2 and the certificate on IaaS side is with sha512RSA signature. Which seems to be not supported.

Check in the Event log on the IaaS machine if there are errors like

Event ID: TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Event ID: - A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

if this is the case for you, you can either install the windows update recommended in this article

http://blogs.technet.com/b/silvana/archive/2014/03/14/schannel-errors-on-scom-agent.aspx

Or re-issue the IaaS certificate to use SHA384 or SHA256

Let me know if this helped.

View solution in original post

0 Kudos
17 Replies
SkyCoop
VMware Employee
VMware Employee

Is this a distributed install? Load balancers in play?

0 Kudos
Biddles
Contributor
Contributor

There is no Separate load balancers。 And DB installed in IAAS server.

All services in IAAS servers started(DEO DEM, agent, management agent, VCAC service)

And WAPI/aip/status    serviceInitializationStatus is Registered.

0 Kudos
SkyCoop
VMware Employee
VMware Employee

FQDN of the appliance and IaaS box, do they match what you put in when specifying the URL for the Web Server, Manager Service, Virtual Appliance?


Anything in the Windows event logs? Did you try and shutdown the Windows box, reboot the virtual appliance and power on the Windows server after the CPU calms down on the VA (or when the services are registered)?

0 Kudos
Biddles
Contributor
Contributor

When issa started there is error for VMware Repository for Failed to start reposiotry service. When DEM and DEO started. There is no error.

And I also try to reboot VA and IAAS.

Then. iaas-service keep on blank.

I also check DNS record. There are IPV4 and IPV6 and match to  IAAS.  And only IPV4 for VA.

0 Kudos
Biddles
Contributor
Contributor

By the way, after I reboot the VA and IAAS, some time I can not find iaas-service information in /component-registry/services/status/current URL.

0 Kudos
GrantOrchardVMw
Commander
Commander

Do you really mean a 402 or is that a typo? If correct that is *weird*.

Does the catalina.out log (on the vRA Appliance) shed any light on what is happening? Any [WARN] or [ERROR] messages?

Grant

Grant http://grantorchard.com
0 Kudos
Biddles
Contributor
Contributor

So sorry make this wrong.  I get http 502 error in Infrastructure page.  Because I always get blank for iaas-service. So, I only create tenant one time. After that I re install my ENV when I see blank status and before create tenant.

0 Kudos
vmwaredownload
Enthusiast
Enthusiast

I suggest you to raise a SR on this. I had faced a similar issue while upgrading vCAC 6.0 to 6.1. The error was pretty much similar "VMware Repository for Failed to start reposiotry service". Support guys gave some commands to fix that issue. So I think they might have solution for vRA 6.2 also.

Regards,

SK

0 Kudos
bradger33
Enthusiast
Enthusiast

HI, have you checked IIS has the correct IaaS certificate bound to it?

0 Kudos
Biddles
Contributor
Contributor

No sure about this.(Do you have details step to check this?)

And raise SR in vmware. And when we install it via custom install. the bug can not be reproduced.

0 Kudos
Craig_G2
Hot Shot
Hot Shot

It's a long shot but it's not anything to do with this Windows update > KB3004375

It caused problems for some people when deployed?

Cheers

0 Kudos
bradger33
Enthusiast
Enthusiast

this does sounds certificate issue to me , it doesnt seem that the Infra page is authenticating correctly.

on the iaaS server, open IIS -> default web site -> bindings (under actions pane) - edit port 443 and ensure that the SSL cert is the correct one.

Biddles
Contributor
Contributor

I checked it via your steps. And there is correct certificate  for port 443

0 Kudos
Biddles
Contributor
Contributor

you suggest me need to install KB3004375 on my ENV?

0 Kudos
Craig_G2
Hot Shot
Hot Shot

Hi - I wasn't suggesting that you install it.


There was some talk a few weeks back about that KB causing issues with the IAAS components.

However, on reflection I think it might have been a bit of a wide suggestion.

Good luck fixing 🙂

0 Kudos
NASAWest
VMware Employee
VMware Employee

Hi,

We had the similar issue in our POC small environment.  The self-signed certs were expired on all components (SSO, vRA VA, IaaS).  After I updated the certs on all, here’s what I did to update the backend pieces:

On your IaaS machine, open an elevated command prompt and run the following:

cd c:\”Program Files (x86)”\VMware\vCAC\Server\”Model Manager Data”\Cafe

Vcac-Config.exe UpdateServerCertificates -d vcac -s vrafqdn -v

Vcac-Config.exe GetServerCertificates -url https://vrafqdn --FileName vcac-config.data

Vcac-Config.exe RegisterSolutionUser -url https://vrafqdn --Tenant vsphere.local -cu administrator@vsphere.local -cp ******** --FileName vcac-config.data -v

Vcac-Config.exe MoveRegistrationDataToDB --FileName vcac-config.data -s iaasfqdn -d vCAC -v

Vcac-Config.exe MoveRegistrationDataToDB -d vcac -s iaasfqdn -f vcac-config.data -v 

Restart all vCAC IAAS services

Vcac-Config.exe RegisterEndpoint --EndpointAddress https:// iaasfqdn /vCAC/ --Endpoint ui -v

Vcac-Config.exe RegisterEndpoint --EndpointAddress https:// iaasfqdn /Repository --Endpoint repo -v

Vcac-Config.exe RegisterEndpoint --EndpointAddress https:// iaasfqdn /WAPI --Endpoint wapi -v

Vcac-Config.exe RegisterEndpoint --EndpointAddress https:// iaasfqdn /WAPI/api/status --Endpoint status -v

SSH to the vCAC virtual appliance and run the following:

service vcac-server restart

Hope this helps!

Tony K.

Aronov
VMware Employee
VMware Employee

Hi,

I think have seen a similar issue.

In my case the problem was that the VA was requesting TLS 1.2 and the certificate on IaaS side is with sha512RSA signature. Which seems to be not supported.

Check in the Event log on the IaaS machine if there are errors like

Event ID: TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

Event ID: - A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

if this is the case for you, you can either install the windows update recommended in this article

http://blogs.technet.com/b/silvana/archive/2014/03/14/schannel-errors-on-scom-agent.aspx

Or re-issue the IaaS certificate to use SHA384 or SHA256

Let me know if this helped.

0 Kudos