Adding the ESX host to vCenter Server fails with the error "decryption failed or bad record mac"
search cancel

Adding the ESX host to vCenter Server fails with the error "decryption failed or bad record mac"

book

Article ID: 324311

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • Cannot add the ESX host to vCenter Server
  • Adding the ESX host to vCenter Server fails
  • You see the error:

    SSLroutines:SSL3_GET_RECORD:decryption failed or bad record mac
     
  • vCenter Server is installed in a virtual machine on an ESX host within the environment
     
  • In the /var/log/vmware/hostd.log file of the ESX host, you see entries similar to:

    [<YYYY-MM-DD>T<time> F6482B90 error 'App'] SSLStreamImpl::SSLRead (5E0EB1A0) SSL_read failed. Dumping SSL error queue:
    [<YYYY-MM-DD>T<time> F6482B90 error 'App'] [0] error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac
    [<YYYY-MM-DD>T<time> F6482B90 warning 'Proxysvc Req00062'] Error reading from client while waiting for header: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3alert bad record mac)

    </time></time></time>
  • In the /var/log/vmware/vpx/vpxa.log file of the ESX host, you see entries similar to:

    [<YYYY-MM-DD>T<time> 04296 error 'App'] [VpxVmomi] Unhandled Exception: SSL Exception: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
    [<YYYY-MM-DD>T<time> 04296 error 'App'] [VpxVmomi] Backtrace:
    backtrace[00] eip 0x021fc66d</time></time>     ?AbortProcess@System@Vmacore@@YAXXZ
    backtrace[01] eip 0x021fd0a7 ?
     
  • Connecting the ESX host directly to the vCenter Server virtual machine using the vSphere Client fails
  • In the /var/log/vmware/hostd.log file of the ESX host, you see entries similar to:

    [<YYYY-MM-DD>T<time> F63BFB90 warning 'Proxysvc Req00117'] Writing response from localhost:8307 to client failed with error N7Vmacore15SystemExceptionE(Broken pipe).
    [<YYYY-MM-DD>T<time> F58F5B90 error 'App'] Failed to send response to the client: Connection reset by peer

    </time></time>
  • Generating a new SSL certificate on the ESX host or reinstalling vCenter Server does resolve this issue
  • Enabling trivia logging does not provide more information on this issue


Environment

VMware ESXi 4.1.x Embedded
VMware ESXi 4.1.x Installable
VMware vSphere ESXi 5.5
VMware vSphere ESXi 5.1
VMware vSphere ESXi 5.0
VMware vCenter Server 4.1.x
VMware vCenter Server 5.1.x
VMware ESX 4.0.x
VMware vCenter Server 5.5.x
VMware vCenter Server 4.0.x
VMware vCenter Server 5.0.x

Cause

This issue occurs when a SSL record is received with an incorrect Message Authentication Code (MAC), which may be caused by network issues. For example, some packets may be lost during communication. In this case, the MAC calculated at the receiver's end does not match the MAC calculated at the sender's end.

Resolution

To resolve this issue, remove the virtual NIC from the vCenter Server virtual machine and add a new NIC for the virtual machine.

Note: If the issue persists, try adding a vmxnet3 virtual NIC.


Additional Information

[Internal] Regenerating the SSL certificates on an ESXi host

Powered by Wolken Software