VMware Cloud Community
dfosbenner
Enthusiast
Enthusiast
‎12-15-2015 07:30 AM
Jump to solution

Update VC Server and ESXi 5.5 hosts to Update 3B (Build 3248547)

I'm running vCenter Server 5.5 and ESXi 5.5 hosts.  Both are Update 3a, patched to the 201510001 release, which is build 3116895.  I am planning the upgrade to Update 3B (Build 3248547) and I'm a little confused on the SSLv3 issue.

I am wondering if this point below from ESXi55 U3b & VC 55U3b Known Issues applies to my config:

ESXi does not get automatically added to vCenter Server inventory
If you update a previous version of vCenter Server and vSphere Update Manager to ESXi to 5.5 Update 3b, then after remediation task, ESXi does not get automatically added to VC inventory. Remediation process never gets completed and ESXi connection status in VC inventory is shown as disconnected.Workaround: When ESXi is rebooted after remediate process is started, enable SSLv3 on ESXi (which is disabled by default). This will make sure ESXi gets added to VC inventory automatically in few minutes and Remediation as completed.

If I am reading things correctly, upgrading vCenter Server to 3B first, and then upgrading the ESXi hosts, will prevent the issues with lost communication.  Can someone confirm?

0 Kudos
1 Solution

Accepted Solutions
MKguy
Virtuoso
Virtuoso
‎12-15-2015 07:53 AM
Jump to solution

It should be fine if you update vCenter first.

The problem is that vCenter 5.5 pre-U3b forces a SSLv3 connection when connecting to an ESXi host on port 443 (not vice versa). It does this even though both the ESXi host and the vCenter SSL/TLS libraries actually support TLS 1.0+ since at least vSphere 4.0 times.

So when you update a host to 5.5 U3b, the older vCenter will still try to force a SSLv3 connection that will fail, since SSLv3 has been disabled at the host. If you update vCenter first it will initiate a proper TLS 1.0+ connection to updated and older hosts alike.

Here is an explanation of the (pre-U3b) vCenter SSLv3 handshake behavior:

Re: vCenter and hosts communicating SSL v3

-- http://alpacapowered.wordpress.com

View solution in original post

0 Kudos
2 Replies
MKguy
Virtuoso
Virtuoso
‎12-15-2015 07:53 AM
Jump to solution

It should be fine if you update vCenter first.

The problem is that vCenter 5.5 pre-U3b forces a SSLv3 connection when connecting to an ESXi host on port 443 (not vice versa). It does this even though both the ESXi host and the vCenter SSL/TLS libraries actually support TLS 1.0+ since at least vSphere 4.0 times.

So when you update a host to 5.5 U3b, the older vCenter will still try to force a SSLv3 connection that will fail, since SSLv3 has been disabled at the host. If you update vCenter first it will initiate a proper TLS 1.0+ connection to updated and older hosts alike.

Here is an explanation of the (pre-U3b) vCenter SSLv3 handshake behavior:

Re: vCenter and hosts communicating SSL v3

-- http://alpacapowered.wordpress.com
0 Kudos
dfosbenner
Enthusiast
Enthusiast
‎12-15-2015 10:30 AM
Jump to solution

Thank you so much!  I upgraded vCenter Server first, then the ESXi system it runs on, and everything looks good.  I'll be rolling Update 3b out to the other hosts in the weeks ahead.

0 Kudos