baber
Expert
Expert

Update vcsa while vcsaHA is enable and working

Dear all

Hi

i installed vcsa 6.7 build number :    11727113 and i config vcsaHA and it is now working

now i want to update my vcsa to lastest version now what do i havd to do before update vcsa ?

All of vcsa ( Active - passive , witness) will automatically update ?

Do i had to do normal update just on active vCenter ?

BR

Please mark helpful or correct if my answer resolved your issue.
15 Replies
StephenMoll
Expert
Expert

  1. Put Vcenter-HA Cluster into maintenance mode. (Replication continues, but failover is disabled.
  2. Patch the Witness node.
  3. Patch the Passive node.
  4. Trigger failover.
  5. Patch the remaining node. (Was Active but is now Passive after the failover).
  6. Bring the vCenter-HA cluster out of maintenance mode.
baber
Expert
Expert

so thanks

but how do i had to update witness and passive nodes?

BR

Please mark helpful or correct if my answer resolved your issue.
0 Kudos
StephenMoll
Expert
Expert

0 Kudos
sk84
Expert
Expert

There is also an official guide from VMware available for patching a VCHA setup:

Patch a vCenter High Availability Environment

But I would recommend to destroy the HA cluster so that only the active node remains, update this node and re-activate VCHA again after the update was successful. In my experience this is faster and easier than patching 3 VMs with failovering from active to passive node.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
0 Kudos
StephenMoll
Expert
Expert

And if the patch goes wrong for some reason? What do you have left over?

Easy quick methods have a cost, in this case it is the risk of losing vCenter completely. The guidance given isn't without merit. Whilst updating one of the three nodes, the vCenter DB is protected.

Good find on the VMware guide. I couldn't find it quickly despite looking. I found a reference to it in another VMware page, but the reference wasn't a link.

0 Kudos
sk84
Expert
Expert

And if the patch goes wrong for some reason? What do you have left over?

Easy quick methods have a cost, in this case it is the risk of losing vCenter completely. The guidance given isn't without merit. Whilst updating one of the three nodes, the vCenter DB is protected.

Just like we've been doing vCenter updates for the last 10 years without HA: With snapshots and/or backups.

I have never lost a vCenter through any update. If something goes wrong, the snapshot will be reverted or the backup restored.

VMware also mentions this in the vCenter update documentation: Install vCenter Server Appliance Patches

As a precaution in case of failure, you can back up the vCenter Server Appliance.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
0 Kudos
baber
Expert
Expert

I did according this document:

first update witness

then update passive

now after update passive node show this error:

Connection refused: The remote service is not running, OR is overloaded, OR a firewall is rejecting connections.

and i restart witness and passive manually but not solved

what is the problem ?

please see attach pic

Please mark helpful or correct if my answer resolved your issue.
0 Kudos
sk84
Expert
Expert

I told you that it's the best way to destroy VCHA and patch only once without the VCHA failover. Then you wouldn't have any problems and you'd be done. There are dozens of posts here where there were problems with VCHA during updates.

You could now start troubleshooting. For me it looks like a splitbrain or isolation scenario. Active and Passive node have the vCenter Management IP, which shouldn't be and apparently the nodes can't talk to each other anymore. Maybe you restarted passive and witness node at the same time. You must not do this, because VCHA always requires that 2 nodes can talk to each other (either Active & Passive or Active & Witness or Passive & Witness), otherwise management is no longer possible.

For VCHA troubleshooting this ressource may be helpfull: Troubleshoot Your vCenter HA Environment

But if this would be my setup, I would now power off the passive node and Witness. Check if everything is ok with the active node and if the vSphere client works properly. After that I would remove the HA configuration (this button still seems to work) and if everything is still fine I would take a snapshot of VCSA, update the remaining VM and re-activate HA again. At least that would be my approach.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
0 Kudos
baber
Expert
Expert

is that your means remove vcHA completely and just update active vcsa and another config vcHA ?

BR

Please mark helpful or correct if my answer resolved your issue.
0 Kudos
sk84
Expert
Expert

Yes. That would be my approach to solve this issue. Also the VCHA troubleshooting guides from VMware are about to destroy and reconfigure VCHA in the most failure cases.

But in order to break nothing more, I would proceed step by step. First shut down passive and witness node, check if the active node still works correctly, restart the active node if necessary and only if everything is OK with the active node I would completely remove VCHA. Maybe a backup of the active and passive node still makes sense before you start, but that's up to you.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
0 Kudos
baber
Expert
Expert

i restart my vcenter server now after a few minute it not start now would you say me what is the priority restart between vcenter active- passive and witness

i think had to do try it manual

Please mark helpful or correct if my answer resolved your issue.
0 Kudos
baber
Expert
Expert

in this method just we have a down time for vcenter

Please mark helpful or correct if my answer resolved your issue.
0 Kudos
StephenMoll
Expert
Expert

Are you allowing enough time for the nodes to boot up?

VCSA can to take an age to fully start-up (at least in my experience).

Also when you think it is started, not all services may have started.

The web-service for example seems to require several more minutes to become fully operational, and I suspect this must be working for a failover to be triggered.

0 Kudos
baber
Expert
Expert

As I understood the best method is :

1- Remove vCenter HA

2- update vCenter appliance

3- setup vcHA

and finally we have down time in vcenter

Are these correct ?

BR

Babak

Please mark helpful or correct if my answer resolved your issue.
0 Kudos
sk84
Expert
Expert

We can discuss whether this is the best method or not. At least for me and all the infrastructures I manage, this way works best and causes the least problems. Other people may have different experiences and opinions with this topic (VCHA patching).

However, you will always have a downtime with a vCenter update. Either during the update itself, when VCHA is not active (in my experience 10-30 minutes) or during the failover between nodes (about 5-10 minutes).

1- Remove vCenter HA

2- update vCenter appliance

3- setup vcHA

If your management ip is on the active node, removing (destroying) the VCHA config will not cause a downtime. Also enabling VCHA will not cause any downtime. But you will have a downtime during the update of the vCenter appliance.

If your management ip is on the passive node (because of a failover in the past), the management ip will switch to the active node during removing VCHA. This will cause a short service interruption of maybe 5-10 minutes (and after that you will have a downtime again because of the update itself).

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
0 Kudos