6.0.1
Table Of Contents
- vSphere Troubleshooting
- Contents
- About vSphere Troubleshooting
- Updated Information
- Troubleshooting Overview
- Troubleshooting Virtual Machines
- Troubleshooting Fault Tolerant Virtual Machines
- Hardware Virtualization Not Enabled
- Compatible Hosts Not Available for Secondary VM
- Secondary VM on Overcommitted Host Degrades Performance of Primary VM
- Increased Network Latency Observed in FT Virtual Machines
- Some Hosts Are Overloaded with FT Virtual Machines
- Losing Access to FT Metadata Datastore
- Turning On vSphere FT for Powered-On VM Fails
- FT Virtual Machines not Placed or Evacuated by vSphere DRS
- Fault Tolerant Virtual Machine Failovers
- Troubleshooting USB Passthrough Devices
- Recover Orphaned Virtual Machines
- Virtual Machine Does Not Power On After Cloning or Deploying from Template
- Troubleshooting Fault Tolerant Virtual Machines
- Troubleshooting Hosts
- Troubleshooting vSphere HA Host States
- vSphere HA Agent Is in the Agent Unreachable State
- vSphere HA Agent is in the Uninitialized State
- vSphere HA Agent is in the Initialization Error State
- vSphere HA Agent is in the Uninitialization Error State
- vSphere HA Agent is in the Host Failed State
- vSphere HA Agent is in the Network Partitioned State
- vSphere HA Agent is in the Network Isolated State
- Configuration of vSphere HA on Hosts Times Out
- Troubleshooting Auto Deploy
- Auto Deploy TFTP Timeout Error at Boot Time
- Auto Deploy Host Boots with Wrong Configuration
- Host Is Not Redirected to Auto Deploy Server
- Package Warning Message When You Assign an Image Profile to Auto Deploy Host
- Auto Deploy Host with a Built-In USB Flash Drive Does Not Send Coredumps to Local Disk
- Auto Deploy Host Reboots After Five Minutes
- Auto Deploy Host Cannot Contact TFTP Server
- Auto Deploy Host Cannot Retrieve ESXi Image from Auto Deploy Server
- Auto Deploy Host Does Not Get a DHCP Assigned Address
- Auto Deploy Host Does Not Network Boot
- Authentication Token Manipulation Error
- Active Directory Rule Set Error Causes Host Profile Compliance Failure
- Unable to Download VIBs When Using vCenter Server Reverse Proxy
- Troubleshooting vSphere HA Host States
- Troubleshooting vCenter Server and the vSphere Web Client
- Troubleshooting Availability
- Troubleshooting Resource Management
- Troubleshooting Storage DRS
- Storage DRS is Disabled on a Virtual Disk
- Datastore Cannot Enter Maintenance Mode
- Storage DRS Cannot Operate on a Datastore
- Moving Multiple Virtual Machines into a Datastore Cluster Fails
- Storage DRS Generates Fault During Virtual Machine Creation
- Storage DRS is Enabled on a Virtual Machine Deployed from an OVF Template
- Storage DRS Rule Violation Fault Is Displayed Multiple Times
- Storage DRS Rules Not Deleted from Datastore Cluster
- Alternative Storage DRS Placement Recommendations Are Not Generated
- Applying Storage DRS Recommendations Fails
- Troubleshooting Storage I/O Control
- Troubleshooting Storage DRS
- Troubleshooting Storage
- Resolving SAN Storage Display Problems
- Resolving SAN Performance Problems
- Virtual Machines with RDMs Need to Ignore SCSI INQUIRY Cache
- Software iSCSI Adapter Is Enabled When Not Needed
- Failure to Mount NFS Datastores
- VMkernel Log Files Contain SCSI Sense Codes
- Troubleshooting Storage Adapters
- Checking Metadata Consistency with VOMA
- Troubleshooting Flash Devices
- Troubleshooting Virtual Volumes
- Troubleshooting VAIO Filters
- Troubleshooting Networking
- Troubleshooting MAC Address Allocation
- The Conversion to the Enhanced LACP Support Fails
- Unable to Remove a Host from a vSphere Distributed Switch
- Hosts on a vSphere Distributed Switch 5.1 and Later Lose Connectivity to vCenter Server
- Hosts on vSphere Distributed Switch 5.0 and Earlier Lose Connectivity to vCenter Server
- Alarm for Loss of Network Redundancy on a Host
- Virtual Machines Lose Connectivity After Changing the Uplink Failover Order of a Distributed Port Group
- Unable to Add a Physical Adapter to a vSphere Distributed Switch
- Troubleshooting SR-IOV Enabled Workloads
- A Virtual Machine that Runs a VPN Client Causes Denial of Service for Virtual Machines on the Host or Across a vSphere HA Cluster
- Low Throughput for UDP Workloads on Windows Virtual Machines
- Virtual Machines on the Same Distributed Port Group and on Different Hosts Cannot Communicate with Each Other
- Attempt to Power On a Migrated vApp Fails Because the Associated Protocol Profile Is Missing
- Networking Configuration Operation Is Rolled Back and a Host Is Disconnected from vCenter Server
- Troubleshooting Licensing
- Index
Solution
n
If the VPN software must continue its work on the virtual machine, allow the traffic out of the virtual
machine and configure the physical switch port individually to pass the BPDU frames.
Network Device Configuration
Distributed or
standard switch
Set the Forged Transmit security property on the port group to Accept to allow BPDU frames to
leave the host and reach the physical switch port.
You can isolate the settings and the physical adapter for the VPN traffic by placing the virtual
machine in a separate port group and assigning the physical adapter to the group.
CAUTION Setting the Forged Transmit security property to Accept to enable a host to send BPDU
frames carries a security risk because a compromised virtual machine can perform spoofing
attacks.
Physical switch
n
Keep the Port Fast enabled.
n
Enable the BPDU filter on the individual port. When a BPDU frame arrives at the port, it is
filtered out.
NOTE Do not enable the BPDU filter globally. If the BPDU filter is enabled globally, the Port Fast
mode becomes disabled and all physical switch ports perform the full set of STP functions.
n
To deploy a bridge device between two virtual machine NICs connected to the same Layer 2 network,
allow the BPDU traffic out of the virtual machines and deactivate Port Fast and BPDU loop prevention
features.
Network Device Configuration
Distributed or
standard switch
Set the Forged Transmit property of the security policy on the port groups to Accept to allow
BPDU frames to leave the host and reach the physical switch port.
You can isolate the settings and one or more physical adapters for the bridge traffic by placing
the virtual machine in a separate port group and assigning the physical adapters to the group.
CAUTION Setting the Forged Transmit security property to Accept to enable bridge deployment
carries a security risk because a compromised virtual machine can perform spoofing attacks.
Physical switch
n
Disable Port Fast on the ports to the virtual bridge device to run STP on them.
n
Disable BPDU guard and filter on the ports facing the bridge device.
n
Protect the environment from DoS attacks in any case by activating the BPDU filter on the ESXi host or
on the physical switch.
n
On a host running ESXi 4.1 Update 3, ESXi 5.0 Patch 04 and later 5.0 releases, and ESXi 5.1 Patch 01
and later, enable the Guest BPDU filter in one of the following ways and reboot the host:
n
In the Advanced System Settings table on the Manage tab for the host in the
vSphere Web Client, set the Net.BlockGuestBPDU property to 1.
n
In an ESXi Shell to the host, type the following vCLI command:
esxcli system settings advanced set -o /Net/BlockGuestBPDU -i 1
n
On a host that does not have the Guest BPDU filter implemented enable the BPDU filter on the
physical switch port to the virtual bridge device.
Network Device Configuration
Distributed or
standard switch
Set the Forged Transmit property of the security policy on the port group to Reject.
Physical switch
n
Keep the Port Fast configuration.
n
Enable the BPDU filter on the individual physical switch port. When a BPDU frame
arrives at the physical port, it is filtered out.
NOTE Do not enable the BPDU filter globally. If the BPDU filter is enabled globally, the
Port Fast mode becomes disabled and all physical switch ports perform the full set of
STP functions.
vSphere Troubleshooting
90 VMware, Inc.