vSphere Lifecycle Manager or vSphere Update Manager compliance checks fail with the error: 'VMware vSphere Lifecycle Manager encountered an unknown error. Please review the events and log files for more information,' due to a TCP port 80 blockage.
search cancel

vSphere Lifecycle Manager or vSphere Update Manager compliance checks fail with the error: 'VMware vSphere Lifecycle Manager encountered an unknown error. Please review the events and log files for more information,' due to a TCP port 80 blockage.

book

Article ID: 320561

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • Compliance check tasks in vSphere Lifecycle Manager are failing for hosts managed using baselines."
  • Communication over Port 80 between the ESXi host and vLCM is identified to be blocked or restricted

Environment

  • VMware vCenter Server 8.0.x
  • VMware vCenter Server 7.0.x

Cause

  • When executing scan or remediation tasks associated with an Upgrade baseline, vSphere Lifecycle Manager (vLCM) deploys a lightweight agent called the VMware Update Agent (VUA) to the ESXi host.
  • By default, vLCM communicates with the VUA over TCP port 80. If this port is blocked or inaccessible, the communication will fail, resulting in task failure.
  • In such cases, the vmware-vum-server.log file may contain errors similar to the following:
yyyy-mm-ddThh:mm:ss.Z info vmware-vum-server[44328] [Originator@6876 sub=ServerConnection] [serverConnection 93] connecting vua on port 80
[...]
yyyy-mm-ddThh:mm:ss.Z warning vmware-vum-server[44912] [Originator@6876 sub=IO.Connection] Failed to connect; <io_obj p:0x00007f5dbccb3998, h:30, <TCP '##.##.##.## : 34598'>, <TCP '##.##.##.## : 80'>>, e: 110(Connection timed out), duration: 129636msec
yyyy-mm-ddThh:mm:ss.Z warning vmware-vum-server[44912] [Originator@6876 sub=HttpConnectionPool-000000] Failed to get pooled connection; <cs p:00007f5dc80a3a50, TCP:##.##.##.##:80>, (null), duration: 129637msec, N7Vmacore15SystemExceptionE(Connection timed out)

Resolution

  • A company may enforce a security policy that prohibits the use of non-secure ports within the environment.
  • If port 80 cannot be allowed due to security restrictions, vLCM can be reconfigured to communicate with the VUA agent over an alternate port.
  • To modify the port used by vLCM:
    • SSH into the vCenter Server using root credentials.
    • Stop the vLCM Update Manager service:
      • service-control --stop updatemgr
    • Back up the vLCM configuration file (vci-integrity.xml):
      • cp /usr/lib/vmware-updatemgr/bin/vci-integrity.xml /usr/lib/vmware-updatemgr/bin/vci-integrity.bak
    • Edit the configuration file:
      • vi /usr/lib/vmware-updatemgr/bin/vci-integrity.xml
    • Locate and update the <upgradePort> value from 80 to an alternative open port (e.g., 443):
      • <vuaClient>
            <upgradePort>443</upgradePort>
        </vuaClient>
    • Save the file and restart the Update Manager service:
      • service-control --start updatemgr
    • Once the service is restarted, log in to vCenter and reattempt the Check Compliance operation.

Additional Information

Network Port Requirements -

Powered by Wolken Software