Unable to power on VMs via vCenter on a Cluster using Guest Introspection
search cancel

Unable to power on VMs via vCenter on a Cluster using Guest Introspection

book

Article ID: 303261

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

Symptoms:

  • Power on VM fails when the GI SVM of a Host is powered off.
  • The task gets hung at 15%-35% with the status "Invoking Prechecks".

Cause

This is the expected behavior for Guest Introspection - vMotion of user VMs to an unprotected host should be blocked. Hosts can be configured to be protected by McAfee/Palo Alto Networks.

  • NSX involvement:

    - NSX deploys the security VM (Eg. McAfee) on the cluster via EAM, when admin configures the service for a cluster.
    - NSX informs EAM if the service inside the security VM is Green/Red.
     
  • EAM involvement:

    - EAM actually deploys the security VM to each host in the cluster.
    - EAM in conjunction with VC blocks user VMs from powering on or vMotioning to a host that does not have a working security VM (Assuming that GI is configured in the cluster).

Resolution

Powering on the SVM, when the GI service is marked as green, the power on task completes successfully.