Pre-check with security policy fails when upgrading to vSphere 7.0 newer
Article ID: 319651
Updated On:
Products
VMware vCenter Server
Issue/Introduction
- While upgrading from vSphere 6.x to vSphere 7.0, or from vSphere 7.x to 8.x, the pre-check with security policy might fail.
- In the VC UI, you see message similar to:
"Currently connected network interface" 'Network adapter 1' cannot use network '<Network Name>', because "the destination network on the destination host is configured for different offload or security policies than the source network on the source host".
Environment
- VMware vCenter Server
Cause
This issue is caused by different security policies across hosts.
Note: The defaults for Forged Transmits and MAC address changes have changed between vSphere 6.x and 7.0 releases for security compliance reasons. Default configuration for these security policies are changed to reject by default, instead of accept.
Resolution
To resolve this issue, ensure the Security Polices on the original host/vSwitch/Port Group match those settings of the destination host/vSwitch/Port Group.
- In vCenter Server Interface, navigate to HOST → Configure → Virtual Switches
- Select the Standard Virtual Switch in question and click Edit → Security
- Ensure all 3 settings (Promiscuous Mode, MAC address changes, and Forged Transmits) match on all hosts in the cluster (i.e. if source host is set to Reject on all, all hosts need this setting to Reject)
Feedback
Yes
No
Powered by
