Latest Posts



Translate

Total Pageviews

Thursday, 19 December 2013

Port numbers that must be open for Site Recovery Manager, vSphere Replication, and vCenter Server (1009562)

Symptoms

Site Recovery Manager (SRM) and vSphere Replication can experience problems if the required network ports are not open.
  • Site Recovery Manager fails to establish site pairing due to connection termination over port 8095.
  • Site Recovery Manager connection to remote site breaks frequently.

Purpose

In an SRM or vSphere Replication deployment, both the protected and recovery sites must be able to resolve their connected vCenter Server by name. The respective ports must be open on both sites for uninterrupted communication.

For the list of default ports that all VMware products use, see TCP and UDP Ports required to access vCenter Server, ESXi/ESX hosts, and other network components (1012382).

Resolution

You must ensure that all the required network ports are open for SRM and vSphere Replication to function correctly.
General networking guidelines:
  • When troubleshooting SRM and vSphere Replication pairing and testing issues, eliminate firewalls and security applications as a possible cause of the problem by temporarily disabling or removing the software or item in question.
  • If you are using a VPN adapter such as SonicWALL or Juniper, ensure that the timeout setting is set to the maximum for any tunnel that is open on the required ports.

Site Recovery Manager 5.x and vSphere Replication 1.0.x and 5.x network ports

The different components that make up SRM and vSphere Replication deployments, namely vCenter Server, SRM Server, the vSphere Replication appliance, and vSphere Replication servers, require different ports to be open.

Image of the ports that SRM and vSphere Replication use:

Note: For the full size image and other graphic representations of the port relationships, see the images attached at the bottom of this article.



vCenter Server and ESXi 5.x network ports that SRM requires

SRM and vSphere Replication require certain ports to be open on vCenter Server:

Default PortProtocol or DescriptionSourceTargetDescription
80HTTPSRMRemote vCenter ServerAll management traffic to SRM Server goes to port 80 on the vCenter Server proxy system.
443HTTPSSRMvCenter ServerDefault SSL Web port
902TCPSRMRemote ESXi hostTraffic from the SRM Server on the recovery site to ESX hosts when recovering or testing virtual machines with IP customization, with configured callout commands on recovered virtual machines, or that use raw disk mapping (RDM). All NFC traffic for updating or patching the VMX files of virtual machines that are replicated using vSphere Replication use this port.

SRM Server 5.x network ports

The SRM Server instances on the protected and recovery sites require certain ports to be open.

Note: SRM Server at the recovery site must have NFC traffic access to the target ESXi servers.

Default PortProtocol or DescriptionSourceTargetEndpoints or Consumers
80TCPSRMRemote vCenter ServerAll management traffic to SRM Server goes to port 80 on the vCenter Server proxy system.
80TCPSRMLocal vCenter ServerManagement traffic to the local vSphere Replication management server (VRMS) goes to port 80 on the local vCenter Server proxy system.
443TCPSRMvCenter ServerDefault SSL Web Port for incoming TCP traffic
902TCP and UDPSRMRemote ESXi hostTraffic from the SRM Server on the recovery site to ESXi hosts when recovering or testing virtual machines with IP customization, with configured callout commands on recovered virtual machines, or that use raw disk mapping (RDM). All NFC traffic for updating or patching the VMX files of virtual machines that are replicated using vSphere Replication use this port.
1433TCPSRMMicrosoft SQL ServerSRM connectivity to Microsoft SQL Server (for SRM database)
1521TCPSRMOracle Database ServerSRM database connectivity to Oracle
1526TCPSRMOracle Database ServerSRM database connectivity to Oracle
5000TCPSRMIBM DB2 Database ServerSRM database connectivity to IBM DB2
8095SOAPvCenter Server and vSphere ClientSRMFrom the vCenter Server proxy to the SRM Server (intrasite only).
9007TCPSRM External API ClientSRMUsed by external API clients for task automation.
9085HTTPvCenter ServerSRMHTTP interface for downloading the UI plug-in and icons. This port must be accessible from the vCenter Server proxy system.
9086HTTPSvCenter ServerSRMSRM client plug-in download between the vCenter Server proxy and SRM.

vSphere Replication Appliance 5.x network ports

The vSphere Replication appliance requires certain ports to be open. In SRM 5.1 and later and vSphere Replication 5.x, vSphere Replication is shipped as a combined appliance that contains both the vSphere Replication management server (VRMS) and a vSphere Replication server. SRM 5.x allows you to deploy additional vSphere Replication servers.

Note: vSphere Replication management servers must have NFC traffic access to target ESXi hosts.

Default PortProtocol or DescriptionSourceTargetEndpoints or Consumers
80TCPvSphere Replication applianceRemote vCenter ServerAll management traffic to the vSphere Replication appliance goes to port 80 on the vCenter Server proxy system.
80HTTPvSphere Replication applianceRemote ESXi hostUsed to establish the connection before initial replication starts
902TCP and UDPvSphere Replication server in the vSphere Replication applianceRemote ESXi hostUsed by vSphere Replication servers to send replication traffic to the destination ESXi hosts.
5480vSphere Replication appliance virtual appliance management interface (VAMI) Web UI (vSphere Replication 5.x)BrowservSphere Replication 5.x applianceAdministrator's Web browser.
8043SOAPvCenter Server ProxyvSphere Replication applianceFrom the vCenter Server proxy to the vSphere Replication appliance (intrasite only).
8123SOAPvSphere Replication appliancevSphere Replication serverManagement traffic from the vSphere Replication appliance to additional vSphere Replication servers (intrasite only).
31031Initial replication trafficESXi host on primary sitevSphere Replication server in the vSphere Replication applianceFrom the ESXi host at the protected site to the vSphere Replication appliance or vSphere Replication server at the recovery site.
44046Ongoing replication trafficESXi host on primary sitevSphere Replication server in the vSphere Replication applianceFrom the ESXi host at the protected site to the vSphere Replication appliance or vSphere Replication server at the recovery site.

vSphere Replication Management Server 1.0.x network ports

The vSphere Replication appliance requires certain ports to be open. SRM 5.0.x includes vSphere Replication 1.0.x. In vSphere Replication 1.0.x, vSphere Replication consists of a vSphere Replication management server (VRMS) appliance and one or more vSphere Replication servers.

Note: vSphere Replication management servers must have NFC traffic access to target ESXi hosts.

Default PortProtocol or DescriptionSourceTargetEndpoints or Consumers
80TCPvSphere Replication management serverRemote vCenter ServerAll management traffic to the vSphere Replication management server goes to port 80 on the vCenter Server proxy system.
80HTTPvSphere Replication management serverRemote ESXi hostUsed to establish the connection before initial replication starts
902TCP and UDPvSphere Replication management server and vSphere Replication serverRemote ESXi hostUsed by vSphere Replication servers to send replication traffic to the destination ESXi hosts.
8043SOAPvCenter Server ProxyvSphere Replication management serverFrom the vCenter Server proxy to the vSphere Replication management server (intrasite only).
8080VRMS virtual appliance management interface (VAMI) Web UIBrowserVRMS 1.0.xAdministrator's Web browser.
8123SOAPvSphere Replication management servervSphere Replication serverManagement traffic from the vSphere Replication management server to the vSphere Replication servers (intrasite only).

vSphere Replication Server 1.0.x and 5.x network ports

The vSphere Replication 5.x appliance contains a vSphere Replication server. You can deploy additional vSphere Replication servers if you use vSphere Replication 5.1 with SRM 5.1 or if you use vSphere Replication 5.5. You cannot deploy additional vSphere Replication servers if you use vSphere Replication 5.1 without SRM.

SRM 5.0.x includes vSphere Replication 1.0.x. In vSphere Replication 1.0.x, vSphere Replication consists of a vSphere Replication management server (VRMS) appliance and one or more vSphere Replication server appliances that you deploy separately from the VRMS.

If you deploy additional vSphere Replication servers, ensure that the subset of the ports that vSphere Replication servers require are open on those servers.

Default PortProtocol or DescriptionSourceTargetEndpoints or Consumers
902TCP and UDPvSphere Replication serverRemote ESXi hostTraffic (specifically the NFC service to the destination ESXi servers) between the vSphere Replication server and the ESXi hosts on the same site.
5480VAMI Web UI for any additional vSphere Replication serversBrowservSphere Replication serverAdministrator's Web browser.
8123SOAPvSphere Replication management servervSphere Replication serverManagement traffic from the vSphere Replication appliance or VRMS to the vSphere Replication servers (intrasite only).
31031Initial replication trafficESXi host on primary sitevSphere Replication serverFrom the ESXi host at the protected site to the vSphere Replication appliance or vSphere Replication server at the recovery site.
44046Ongoing replication trafficESXi host on primary sitevSphere Replication serverFrom the ESXi host at the protected site to the vSphere Replication appliance or vSphere Replication server at the recovery site.

Network ports that must be open between the SRM and vSphere Replication protected and recovery sites

SRM and vSphere Replication require that the protected and recovery sites can communicate.

PortProtocol or DescriptionSourceTargetEndpoints or Consumers
80SOAPSRM and vSphere Replication appliance or VRMSRemote vCenter ServerManagement traffic between SRM Server instances and vSphere Replication appliances or VRMS.
8043SOAPvSphere ClientvSphere Replication appliance 5.x or VRMS 1.0.xTo allow the SRM UI to verify vSphere Replication appliance or VRMS certificates.
8095SOAPvSphere ClientSRMTo allow the SRM UI to verify SRM Server certificates.
31031Initial replication trafficESXi hostvSphere Replication appliance 5.x or vSphere Replication serverFrom the ESXi host at the protected site to the vSphere Replication appliance or vSphere Replication server at the recovery site.
44046Ongoing replication trafficESXi hostvSphere Replication appliance 5.x or vSphere Replication serverFrom the ESXi host at the protected site to the vSphere Replication appliance or vSphere Replication server at the recovery site.

Site Recovery Manager 1.0 - 4.1.x network ports

  • VMware VirtualCenter/vCenter Server:
    • 80 – HTTP
    • 443 – SSL interface
    • 902 – VMware
    • 8096 – Tomcat

    Note: The vSphere Client must be able to communicate with vCenter Server through ports 8095 and 9007 for the SRM plug-in to function.
  • VMware Site Recovery Manager:
    • 80 – HTTP
    • 8095 – SOAP interface between the vCenter Server proxy and SRM
    • 8096 – HTTP Listen
    • 9007 – SOAP interface for external API clients
    • 9008 – HTTP Listen

    Note: The vSphere Client must be able to communicate with both SRM servers through port 8095 for the SRM plug-in to function.
Source:-

Storage Replication Adapters (SRAs) for Vmware SRM 5.1

Storage replication adapters are not part of an SRM release. Your array vendor develops and supports them.
You can download storage replication adapters and their documentation from
https://my.vmware.com/web/vmware/details?productId=291&downloadGroup=SRM5111. VMware does not support SRAs that you download from other sites. You must install an SRA specific to each array that you use with SRM on the SRM Server host. SRM supports the use of multiple SRAs.

Tuesday, 26 November 2013

The Management Network vSwitch is deleted on the ESXi host (1010992)

Purpose

This article provides steps for troubleshooting a situation where the Management Network vSwitch is deleted on the ESXi host.

Resolution

You must restore the network settings to the default settings.

Note: This procedure requires you to re-register virtual machines, recreate VMkernel ports, and vSwitches.
 
To restore your network work settings:
  1. Use the Direct Connect UI (DCUI) to connect to ESXi host.
  2. Click Reset System Configuration.
  3. Reboot the ESXi host.
  4. Enter the networking information. For more information, see Configuring the ESXi Management Network from the direct console (1006710).
  5. Do a test ping using the DCUI. If successful, you can access the ESXi host using the VI Client.
  6. Re-register virtual machines and recreate your vSwitches. For more information see, the ESXi documentation.
Source:-

Friday, 22 November 2013

Best practices for joining vCenter Servers in Linked Mode (2005481)

Purpose

This article provides best practices when working with vCenter Server Linked Mode, as well as steps to troubleshoot vCenter Server Linked Mode issues.

Resolution

Best practices

 
When working with vCenter Server Linked Mode issue, follow these best practices:
  • If the vCenter Server is joined to a domain, ensure that it can communicate with the Domain Controller. If Domain Controller communication problems exist, remove and add the vCenter Server to the Windows domain.
  • Ensure that all vCenter Server system times are synchronized with a time difference of no greater than 5 minutes.
  • Ensure that all vCenter Server are the same version and build. For more information, see Cannot access instances of vCenter Server in Linked Mode configuration after upgrading to vCenter Server 4.1 (1026346).
  • Ensure that the VirtualCenter Server Service uses an account with rights to logon as a service/batch job.
  • The vCenter Server Linked Mode Configuration tool must be run by a domain user that is also a local administrator on both machines where vCenter Server is installed.
  • Different Windows domains for vCenter Servers are permitted only if there is a two-way trust between the two domains. Ensure this is true from both Windows domains.
  • If User Account Control (UAC) is enabled, be sure to use Run as administrator when starting the vCenter Server Linked Mode Configuration tool.
  • Ensure that the vCenter Server Windows machine name matches the Domain/DNS name.

    Note: Instancename, VimWebServicesUrl, and VimApiUrl keys must match. For more information, see ESX and vCenter Server Installation Guide.
  • Ensure that the Windows firewall service is running but the firewall is turned off.

Verifying the initial replication

The Jointool/vCenter Server installer does a large set of checks to validate initial replication between instances. Issues with joining two instances are usually due to errors in initial replication. However, after a successful join (especially with more than two total instances in the vCenter Server linked mode group), some instances may not see all instances in the group.
 
To see if ADAM replication is the issue, perform these steps on all concerned vCenter Server machines:
  1. Click Start > Administrative Tools > ADSI Edit.
  2. Right-click ADSI Edit in the left pane and click Connect to.
  3. Under Connection Point in the Distinguished Name box, enter dc=virtualcenter,dc=vmware,dc=int
  4. Under Computer in the domain or server box, enter localhost:389, then click OK. This opens up a new connection to our application partition in ADAM.
  5. Expand Default naming context and drill down clicking the OU=Instances container on the left pane. You see entries (GUIDs) under OU=Instances for the vCenter Servers in your setup.

    This list should be identical on every replica (and the primary). It does guarantee that replication will continue to succeed,  but it does indicate that initial replication during installation was successful.

Verifying the Health service status

To verify the Health service status for the LDAP Replication Monitor, install the service-monitoring vSphere Client plugin as part of all vCenter Server installs:
  1. In vSphere Client, click Home.
  2. Click vCenter Server Service Status in the Administration section.

    Note: If you do not see vCenter Service Status, you have to enable the plugin by clicking Plug-ins > Manage plug-ins.

Troubleshooting replication issues

To troubleshoot replication issues:
  1. Click Start > Administrative Tools > Event Viewer.
    • Review the  Event Viewer Log entries for related ADAM instance (VMwareVCMSDS or something similar) events. Record any warning or error messages you find.
    • Example warning messages involving replication are often explicit. For example:

      8453 Replication access was denied.1772 The list of RPC servers available for the binding of auto handles has been exhausted.
      Note: This error is often a symptom of firewalls blocking ports (RPC mapper runs on port 135, and needs ports > 1024 to be open on the machine).
  2. Run Knowledge Consistency Check (KCC) from the command line to confirm replication is the problem. Run KCC on the replica machine:

    • C:\Windows\ADAM\repadmin.exe /kcc localhost:389 (to confirm local consistency)
    • C:\Windows\ADAM\repadmin.exe /kcc remoteVCFQDNremotePort (to confirm remote primary consistency)

      If either of these return an error, inform VMware if you open a Support Request.
  3. Forcing replication can help diagnose issues. To force replication between ADAM instances:

    C:\WINDOWS\ADAM>repadmin /replicate remote-vc:remote-vc-adam-port local-vc-fqdn:local-adam-port dc=virtualcenter,dc=vmware,dc=int

    This is an example of successful replication:

    C:\WINDOWS\ADAM>repadmin /replicate vm08.PDPVC.com:389 vm04.PDPVC.com:389 dc=virtualcenter,dc=vmware,dc=int Positive response:
    Sync from vm04.PDPVC.com:389 to vm08.PDPVC.com:389 completed successfully.

    This is an example of failed replication:
    DsBindWithCred to vm04.pdpvc.com failed with status 1753 (0x6d9):There are no more endpoints available from the endpoint mapper 
  4. To verify inbound and outbound replication from one machine, run the command:

    repadmin /syncall localhost:vc-ldap-port 
  5. Run directory service tests with dcdiag. This runs a comprehensive list of tests to help diagnose what may have failed with the replication (such as name resolution and or referrals):

    (c:\windows\adam or c:\windows\system32) ddiag /s:localhost:vc-ldap-port
Source:-

Tuesday, 19 November 2013

vMA User Account Privileges

Account Privileges for vCLI Usage lists the privileges that the different user accounts have for vCLI usage against different targets.
Y
Y
N
Y
N
Y
Y
N
N
Y
N
Y