Why you should always upgrade vCenter before ESXi
Here it is, scenario as many other, nothing different from other Nutanix POC’s I did for past few years. Existing vSphere vCenter 5.5 U1 and brand new Nutanix deployment with vSphere ESXi 5.5 U3b. But … there is always but. Generally, setup like this is supported by VMware but when I tried to add ESXi to vCenter I got error message
Cannot connect to specific host. The host may not be available on the network, a network configuration problem may exist, or the management services on this host may not be responding
After several minutes of troubleshooting potential network issues it was obvious to me I should look for cause in different place. Going though out vpxd.log in vCenter I found interesting entry:
2016-07-22T14:44:12.729Z [07448 error 'HttpConnectionPool-000001'] [ConnectComplete] Connect failed to <cs p:0000000017ddfdf0, TCP:esx01.gso.lab:443>; cnx: (null), error: class Vmacore::Ssl::SSLException(SSL Exception: error:140000DB:SSL routines:SSL routines:short read) 2016-07-22T14:44:12.729Z [07400 error 'httphttpUtil' opID=30D532A7-00000053-90] [HttpUtil::ExecuteRequest] Error in sending request - SSL Exception: error:140000DB:SSL routines:SSL routines:short read 2016-07-22T14:44:12.729Z [07400 error 'vpxdvpxdHostAccess' opID=30D532A7-00000053-90] [VpxdHostAccess::Connect] Failed to discover version: vim.fault.HttpFault
Quick search on kb.vmware.com and I have found that in vSphere ESXi 5.5 U3b SSL v3 has been disabled due to POODLE vulnerability. In release notes VMware states:
Support for SSLv3 protocol is disabled by default
Note: In your vSphere environment, you need to update vCenter Server to vCenter Server 5.5 Update 3b before updating ESXi to ESXi 5.5 Update 3b. vCenter Server will not be able to manage ESXi 5.5 Update 3b, if you update ESXi before updating vCenter Server to version 5.5 Update 3b. For more information about the sequence in which vSphere environments need to be updated, refer KB 2057795.
VMware highly recommends you to update ESXi hosts to ESXi 5.5 Update 3b while managing them from vCenter Server 5.5 Update 3b.
VMware does not recommend re-enabling SSLv3 due to POODLE vulnerability. If at all you need to enable SSLv3, you need to enable the SSLv3 protocol for all components. For more information, refer KB 2139396.
Nevertheless, if you really do not want or you can’t (for different reasons), upgrade vCenter server to version 5.5U3b then you can enable SSL3 back on ESXi hosts and join them to vCenter.
First edit config file /etc/vmware/rhttpproxy/config.xml on ESXi host and find section <vmacore> and subsection <ssl> . Add line:
between <ssl> and </ssl> and restart rhttpproxy service by /etc/init.d/rhttpproxy restart command.
NOTE: after this change you are running unsupported configuration by VMware