[VMC on AWS] Updating Site Recovery Manager configuration after CVDS migration
search cancel

[VMC on AWS] Updating Site Recovery Manager configuration after CVDS migration


Article ID: 323632


Updated On:


VMware Cloud on AWS


To outline the steps required to update Site recovery Manager with the new network references.


VMC on AWS SDDC went through migration to CVDS.

Network mappings in Site Recovery Manager are empty.

Protected VMs show configuration issue for the NIC device.


During CVDS migration, network references are changed from an OpaqueNetwork type and value such as network-oNN to a DistributedVirtualPortgroup type and value such as dvportgroup-NN. The network name is preserved by the CVDS migration.

Before resuming use of Site Recovery Manager (running operation on a Recovery Plan or configuring new VMs for protection), Site Recovery Manager configuration must be updated with the new network references - network mappings and protected VM recovery location settings.
SRM Recovery Plan operations are expected to fail until the import is done, as SRM would point to the old network references.


VMware has automatically updated the configuration for VMC on AWS to VMC on AWS SRM pairings.

For each SRM pairing b/w the VMC on AWS SDDC and on-premises follow the below steps to execute import of Site Recovery Manager configuration that was automatically exported before the CVDS migration. This import will update the network references by looking up the new references from the network name.

Prepare a local machine

At some machine that has network connectivity to the VMC on AWS SDDC vCenter Server and Site Recovery Manager and also on-premises vCenter Server/Platform Services Controller and Site Recovery Manager:

  • Install Java 8.
  • Install curl and jq (unless on Windows and using PowerShell Invoke-WebRequest option as in the examples below).
How to retrieve AUTH_TOKEN

Before you can use the APIs to retrive a list of Site Recovery Manager nodes and to download the Site Recovery Manager configuration export file, you must obtain an access token.
To obtain the token follow https://kb.vmware.com/s/article/79543.

A. Linux:
export REFRESH_TOKEN=...
export AUTH_TOKEN=$(curl "https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize" -X POST -d "api_token=$REFRESH_TOKEN" | jq -r .access_token)
export DRAAS_BACKEND_URL=https://vmc.vmware.com
export ORG_ID=...
export SDDC_ID=...

B. Windows PowerShell:
$AUTH_TOKEN=Invoke-WebRequest -Method Post -Uri "https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize" -Body @{"api_token" = $REFRESH_TOKEN} | ConvertFrom-Json Select-Object -ExpandProperty access_token

C. Windows PowerShell + curl + jq:
$AUTH_TOKEN=$(curl.exe "https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize" -X POST -d "api_token=$REFRESH_TOKEN" | jq-win64.exe -r .access_token)

How to retrieve a list of Site Recovery Manager nodes

Note the id and hostname of each Site Recovery Manager node.

A. Linux:
curl "$DRAAS_BACKEND_URL/vmc/draas/api/orgs/$ORG_ID/sddcs/$SDDC_ID/site-recovery" -X GET -H "csp-auth-token: $AUTH_TOKEN" | jq .srm_nodes
curl "$DRAAS_BACKEND_URL/vmc/draas/api/orgs/$ORG_ID/sddcs/$SDDC_ID/site-recovery" -X GET -H "csp-auth-token: $AUTH_TOKEN" | jq -r '.srm_nodes[] | .id + " " + .hostname'

B. Windows PowerShell:
Invoke-WebRequest -Method Get -Uri "$DRAAS_BACKEND_URL/vmc/draas/api/orgs/$ORG_ID/sddcs/$SDDC_ID/site-recovery" -Headers @{"csp-auth-token" = $AUTH_TOKEN} | ConvertFrom-Json Select-Object -ExpandProperty srm_nodes
Invoke-WebRequest -Method Get -Uri "$DRAAS_BACKEND_URL/vmc/draas/api/orgs/$ORG_ID/sddcs/$SDDC_ID/site-recovery" -Headers @{"csp-auth-token" = $AUTH_TOKEN} | ConvertFrom-Json Select-Object -ExpandProperty srm_nodes | Select-Object id, hostname

C. Windows PowerShell + curl + jq:
curl.exe "$DRAAS_BACKEND_URL/vmc/draas/api/orgs/$ORG_ID/sddcs/$SDDC_ID/site-recovery" -X GET -H "csp-auth-token: $AUTH_TOKEN" | jq-win64.exe -r .srm_nodes
curl.exe "$DRAAS_BACKEND_URL/vmc/draas/api/orgs/$ORG_ID/sddcs/$SDDC_ID/site-recovery" -X GET -H "csp-auth-token: $AUTH_TOKEN" | jq-win64.exe -r '.srm_nodes[] | .id + \" \" + .hostname'

How to determine which pairings are with on-prem and which with another VMC SDDC
Open the Site Recovery UI at the VMC SDDC and inspect each of the pairings at the home page.

Example screen:

Pairings such as vcenter.sddc-A-B-C-D.vmwarevmc.com <-> vcenter.sddc-E-F-G-H.vmwarevmc.com, are VMC to VMC and the Site Recovery Manager configuration import is handled automatically for these after CVDS migration.

All the other pairings (excluding Replications within the same vCenter Server) are VMC to on-prem and the steps below must be followed - to do Site Recovery Manager configuration import after CVDS migration.

For each of the other pairings, click on VIEW DETAILS to inspect the hostname of the Site Recovery Manager appliance (local to the VMC SDDC) that is backing that pairing. Each Site Recovery Manager appliance with have unique hostname. The hostname does reflect the custom Site Recovery Manager extension key suffix if such is used in the pairing.

From the list of Site Recovery Manager node id and hostname values from the previous step, note the matching Site Recovery Manager node id values.

How to download the Site Recovery Manager configuration export file for a particular Site Recovery Manager node

A. Linux:
export SRM_NODE_ID=...
curl "$DRAAS_BACKEND_URL/vmc/draas/api/orgs/$ORG_ID/sddcs/$SDDC_ID/site-recovery/srm-nodes/$SRM_NODE_ID/config/export" -X GET -H "csp-auth-token: $AUTH_TOKEN" -o srm_config_export_$SRM_NODE_ID.xml

B. Windows PowerShell:
Invoke-WebRequest -Method Get -Uri "$DRAAS_BACKEND_URL/vmc/draas/api/orgs/$ORG_ID/sddcs/$SDDC_ID/site-recovery/srm-nodes/$SRM_NODE_ID/config/export" -Headers @{"csp-auth-token" = $AUTH_TOKEN} -OutFile srm_config_export_$SRM_NODE_ID.xml

C. Windows PowerShell + curl + jq:
curl.exe "$DRAAS_BACKEND_URL/vmc/draas/api/orgs/$ORG_ID/sddcs/$SDDC_ID/site-recovery/srm-nodes/$SRM_NODE_ID/config/export" -X GET -H "csp-auth-token: $AUTH_TOKEN" -o srm_config_export_$SRM_NODE_ID.xml

How to import the Site Recovery Manager configuration

Download and unzip the VMware Site Recovery Manager Configuration Import/Export Tool (or later version) from https://customerconnect.vmware.com/en/downloads/details?downloadGroup=VMC&productId=1123&rPId=61545. Even if the on-premises Site Recovery Manager version is 8.3.x or 8.4.x.
Note that older versions of the Site Recovery Manager Configuration Import/Export Tool impex tool are not compatible with the CVDS migration workflow.

Perform the import:


In terms of the Site Recovery Manager config export file, the VMC on AWS SDDC is named "local site" and the on-premises site is named "remote site".
For the local site - specify address and credentials for the VMC SDDC. Use any member of CloudAdminGroup, such as the cloudadmin account.
For the remote site - specify the on-premises site address and credentials. Use an account with SRM Administrator privileges (vCenter Administrator will also work).

See below for how to perform the import.

Option A. Example of import in interactive mode:
java -jar import-export-tool-8.5.0.jar --importInteractive --path srm_config_export_$SRM_NODE_ID.xml --overrideProtectionSettings

Option B. Example of import in properties file mode:

Create a properties file named for example srm_configuration.properties and specify the:

  • VMC SDDC vCenter/PSC FQDN as lookup.service.address
  • The Site Recovery Manager sitename at local.srm.name. Please get it from localSiteName at the Site Recovery Manager config export xml file (open the file via browser or query via cli) and verify that it matches the one at the Site Recovery Manager pairing summary page in the Site Recovery UI. This name can be customized, it might be different from the DNS name of the Site Recovery Manager appliance.
Linux example:
xmllint --xpath "//*[name()='localSiteName']/text()"  srm_config_export_$SRM_NODE_ID.xml

Windows PowerShell example:
Select-Xml -Path srm_config_export_$SRM_NODE_ID.xml -XPath "//localSiteName" Select-Object -expand node | Select-Object -expand '#text'


$srmConfigExportXml Get-Content srm_config_export_$SRM_NODE_ID.xml

  • local.auth.credentials.vc.username and local.auth.credentials.vc.password - credentials for the VMC SDDC - either the cloudadmin account or some other member of CloudAdminGroup
  • remote.auth.credentials.vc.username and remote.auth.credentials.vc.password - credentials for the on-premises SDDC. Use an account with SRM Administrator privileges (vCenter Administrator will also work).
local.auth.credentials.vc.password=<password for the cloudadmin account>
remote.auth.credentials.vc.password=<password for Administrator>

java -jar import-export-tool-8.5.0.jar --importProperties srm_configuration.properties --path srm_config_export_$SRM_NODE_ID.xml --overrideProtectionSettings

Note: If the above command runs for more than a few minutes and this happens on a Linux OS, check if "head -1 /dev/random" blocks or immediately prints some value. If it is still blocked, try using rng-tools to ensure there is enough entropy in the system.

Verify the configuration in Site Recovery UI:

  • Check that the network mappings are correct.
  • Check the protection groups - if any protected VM shows configuration error for a network device.

In case of issues - check the log file for the import. This is located within the folder that the import was executed. Evaluate whether to retry the import or manually re-create the missing network mappings and reconfigure protected VM recovery location settings.

Known Issue

When performing Import of SRM config exported with version 8.5 and imported in SRM version 8.6, import fails with following lines seen in impex.log :

2022-12-16 10:53:29,173 [srm-reactive-thread-13] WARN  com.vmware.srm.client.impex.importers.advancedSettings.SiteAdvancedSettingsImporter - Unable to import advanced settings for server with guid 'SDDC_ID'.
(vmodl.fault.InvalidType) {
   faultCause = null,
   faultMessage = null,
   argument = changedValue[remoteManager.xVcVMotionTimeout]

This is a known issue and can be ignored. Advanced Settings import is the last stage in SRM config import. All previous stages are not dependent on this one. There is a difference in versions for the API call, it is expected to receive an array of all AdvancedSetting objects and any invalid object will fail the call.

Alternative manual approach

If there are only few networks used in the SRM network mappings and only few protected VMs and there are issues with executing the SRM configuration import, you may choose to follow the below steps for manual configuration:

  • The network mappings will be reset after CVDS migration, as the network ids change. Create the network mappings again.
  • Navigate to each protection group and open the Virtual Machines tab.
  • Select each individual virtual machine and select CONFIGURE PROTECTION.
  • Inside the VM Protection Properties wizard, expand the row for each of the NICs. Explicitly configure Recovery Site network if the value is blank. Click OK to update the VM recovery location settings.

Additional Information

No impact to production VMs.
These steps will fix SRM configuration of resource mappings (including network mappings), protection groups, protected VM settings and Recovery Plans.