VMware Cloud Community
billdossett
Hot Shot
Hot Shot
‎01-17-2021 11:03 AM

can't connect to esxi host webui - certificate?

this feels like deja vu, but I am not seeing the answer...

I can't connect to one of my esxi hosts from windows with edge.  It just says hmm, can't reach this page, no cert error or anything.

Which is unusual for a cert error usually it tells you cert error.  I've turned off AV, didn't help.

Now, what does work...  Edge on my mac connects, but says the credentials it sent are scrambled and does not allow me to connect even when I go to advanced.

Safari on my Mac allows me to trust the cert and install it to my keychain and then I can connect...  

The host is in my vcenter and everything looks fine from that standpoint.  I have deleted all personal certs in my windows cert store 

I'm sure this happened to me at some time in the past and I can't remember how it was resolved.

Bill Dossett
Reply
0 Kudos
4 Replies
NathanosBlightc
Commander
Commander
‎01-18-2021 01:21 AM

What's your ESXi version?

Please check the TLS settings and its selected version (Ver 1.0, 1.1 are deprecated in 2020) for the browser that has been problem.

Please mark my comment as the Correct Answer if this solution resolved your problem
Reply
billdossett
Hot Shot
Hot Shot
‎01-18-2021 06:53 AM

So, yeah, I put a packet tracer on and it was coming back from the request with tls1.  I'm on vsphere 7...

changed it to 1.2 - didn't fix it though.. it seemed to get worse even.  It just says it can't connect at all after changing to tls1.2... three other hosts, consecutive IP addresses work fine.  Packet sniffer was showing reset after changing.  AV off on my windows workstation, firewall off, everything, its like literally as if its been blacklisted.  

I moved my workstation back onto my main home subnet which is routed to my vsphere management subnet using VYOS and bang, it works again... so again, almost like it was blacklisted by something as I now have new IP address. 

I could ssh to it, it was connected to vsphere fine and I can ping it, all by name and ip address.  I'd like to figure out what the problem actually is, but I kind of ran out of ideas and I trying to get NSX setup on it to work with NSX and understand it.

Bill Dossett
Reply
0 Kudos
NathanosBlightc
Commander
Commander
‎01-18-2021 08:59 AM

Idea of deploying NSX cannot detect and resolve your problem basically, I think it can even cause your environment be more complex. So if changing the IP address solved your problem, I think it can be related to one of the following circumstances:

1. Modifying internal firewall of your ESXi host and specified an IP address or range for connecting via web client, before this time period. (Check it again, please)

2. There maybe an Access-List defined to prevent your communication between two different subnets of inside your network.

3. Cache of your browser for the old management IP address of this ESXi

However, I strongly suggest if you want to find out the real problem, return back or simulate the similar situation and try to investigate deep inside your networking configuration. Even a wrong configured subnet mask can cause similar issues.

Please mark my comment as the Correct Answer if this solution resolved your problem
Reply
0 Kudos
billdossett
Hot Shot
Hot Shot
‎01-18-2021 09:09 AM

no ACLs, I will check the firewall, my browsers are all set to dump cache on exit and I have rebooted several times...

I do want to find the problem, but I am back cofiguring NSX again now that all is working - its a strange one ... btw I am not deploying NSX to detect or resolve my problem, that is a project I am working on and this problem came up while I am working on it.

if all goes well with my NSX today, then I may have time to return to the problem tomorrow and dig deeper.

Bill Dossett
Reply
0 Kudos