"You have no privileges to view this object or it does not exist" message while accessing Lifecycle Manager in the vSphere Client of a vCenter Server in Enhanced Linked Mode
search cancel

"You have no privileges to view this object or it does not exist" message while accessing Lifecycle Manager in the vSphere Client of a vCenter Server in Enhanced Linked Mode

book

Article ID: 320779

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
1. Error observed in Lifecycle Manager "unexpected error has occurred." and "You have no privileges to view this object or it does not exist." when navigated to vSphere Client --> Home --> Lifecycle Manager 

2. From the /var/log/vmware/vsphere-ui/logs/vsphere-client-virgo.log you see the following 'connect timed out' message on port 8084

[YYYY-MM-DDTHH:MM:SS] [INFO ] -nio-127.0.0.1-5090-exec-363  com.vmware.vum.client.remoting.impl.VumServiceImpl                Connecting to https://vcenter.sample.domain:8084/vci/sdk with VMODL version class version1
[YYYY-MM-DDTHH:MM:SS] [WARN ] -nio-127.0.0.1-5090-exec-363  com.vmware.vum.client.remoting.impl.VumServiceImpl                Request failed com.vmware.vim.vmomi.client.exception.ConnectionException: https://vcenter.sample.domain:8084/vci/sdk invocation failed with "org.apache.http.conn.ConnectTimeoutException: Connect to vcenter.sample.domain:8084 [vcenter.sample.domain/IP] failed: connect timed out"
        at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:265)
        at com.vmware.vim.vmomi.client.http.impl.HttpExchangeBase.setResponseError(HttpExchangeBase.java:362)
        at com.vmware.vim.vmomi.client.http.impl.HttpExchange.invokeWithinScope(HttpExchange.java:59)
        at com.vmware.vim.vmomi.core.tracing.OtelTracer$OtelSpan.runWithinSpanContext(OtelTracer.java:227)
        at com.vmware.vim.vmomi.client.http.impl.TracingScopedRunnable.run(TracingScopedRunnable.java:17)
        at com.vmware.vim.vmomi.client.http.impl.HttpExchangeBase.run(HttpExchangeBase.java:52)
        at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingBase.executeRunnable(HttpProtocolBindingBase.java:229)

3. SSL handshake failed errors  seen in /var/log/vmware/vsphere-ui/logs/vsphere-client-virgo.log

Caused by: com.vmware.vim.vmomi.client.exception.SslException:javax.net.ss1.SSLException:SSL handshake from 0. 0. 0. 0/0. 0. 0. 0:36176 to vcenter.sample.domain/x.x.x.x:8084 failed in 18 ms
        at com.vmware.vim.vmomi.client.common.impl.Response Impl.setError (ResponseImpl.java : 265)
        at com.vmware.vim.vmomi.client.http.impl.HttpExchangeBase. setResponseError (HttpExchangeBase.java:362)
        at com.vmware.vim.vmomi.client.http.impl.HttpExchange. invokeWithinScope (HttpExchange.java:59)
        at com.vmware.vim.vmomi.core.tracing.OtelTracer$OtelSpan. runWithinSpanContext (OtelTracer.java:227)
        at com.vmware.vim.vmomi.client.http.impl.TracingScopedRunnable.run (TracingScopedRunnable.java:17)
        at com.vmware.vim.vmomi.client.http.impl.HttpExchangeBase.run (HttpExchangeBase.java:52)
        at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingBase.executeRunnable (HttpProtocolBindingBase.java:229)
        at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingImpl.send (HttpProtocolBindingImpl.java:128)
        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandler Impl$CallExecutor.sendCall (MethodInvocationHandlerImpl.java:693)
        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.executeCall (MethodInvocationHandler Impl.java:674)
        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.completeCall (MethodInvocationHandlerImpl.java:371)
        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandler Impl.invokeOperation (MethodInvocationHandlerImpl.java:322)
        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandler Impl.invoke (MethodInvocationHandler Impl.java:195)
        at com.sun. proxy. $Proxy1033 . retrieveVcIntegrityContent (Unknown Source)
        at com.vmware.vum.client.remoting.impl.VumService Impl.connect (VumServiceImpl.java:425)

Environment

VMware vCenter Server

Cause

TCP port 8084 is a mandatory port in ELM topologies used by the vSphere Lifecycle Manager to exchange information between the VC nodes.

Sometimes the port 8084 will be open between the VC's in ELM. But the firewall rules in customer environment can still block the communication/traffic between vCenter servers over port 8084.

Resolution

  1. Verify port connectivity on TCP port 8084 between all the VC nodes of the ELM topology.
  2. Run the following command on each vCenter Server to make sure there is connectivity between each and every vCenter in linked mode
    • curl -v -k --connect-timeout 30 "https://vcenter.sample.domain>:8084"
    • Below is the failed output when port is blocked/not open in firewall.
      root@vcenter [ ~ ]# curl -v -k --connect-timeout 30 "https://vcenter.sample.domain:8084"
      * Host vcenter.sample.domain:8084 was resolved.
      * IPv6: (none)
      * IPv4: x.x.x.x
      *   Trying x.x.x.x:8084...
      * ipv4 connect timeout after 30000ms, move on!
      * Failed to connect to vcenter.sample.domain port 8084 after 30002 ms: Timeout was reached
      * Closing connection
      curl: (28) Failed to connect to vcenter.sample.domain port 8084 after 30002 ms: Timeout was reached
       
    • Unblock the ports if the connection is confirmed as failing from the above output.
    • Once the port is opened in physical firewall we may see below output.
      root@vcenter [ ~ ]# curl -v -k --connect-timeout 30 "https://vcenter.sample.domain:8084"
      * Host vcenter.sample.domain:8084 was resolved.
      * IPv6: (none)
      * IPv4: x.x.x.x
      *   Trying x.x.x.x:8084...
      * Connected to vcenter.sample.domain (x.x.x.x) port 8084
      * ALPN: curl offers http/1.1
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.2 (IN), TLS handshake, Certificate (11):
      * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
      * TLSv1.2 (IN), TLS handshake, Server finished (14):
      * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
      * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.2 (OUT), TLS handshake, Finished (20):
      * TLSv1.2 (IN), TLS handshake, Finished (20):
      * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / prime256v1 / RSASSA-PSS
      * ALPN: server accepted http/1.1
      * Server certificate:
      *  subject: CN=vcenter.sample.domain; C=US
      *  start date: 
      *  expire date: 
      *  issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=vcenter.sample.domain; OU=VMware Engineering
      *  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
      *   Certificate level 0: Public key type RSA (3072/128 Bits/secBits), signed using sha256WithRSAEncryption
      * using HTTP/1.x
      > GET /sdk HTTP/1.1
      > Host: vcenter.sample.domain:8084
      > User-Agent: curl/8.7.1
      > Accept: */*
      >
      * Request completely sent off
      < HTTP/1.1 501 Not Implemented
      < date: 
      < content-type: text/plain; charset=utf-8
      < content-length: 0
      < x-envoy-upstream-service-time: 1
      <
      * Connection #0 to host vcenter.sample.domain left intact
  3. Even though the port connectivity is successful If the issue still persists, engage internal network/security team for validating the firewall rules for port 8084. Just because port 8084 is listening on one vCenter and reachable on the network path doesn’t guarantee that traffic can actually flow between the two. A firewall can drop or reject packets for TCP/UDP 8084, even if the service itself is running and listening on that port.

Additional Information

Powered by Wolken Software