Cloud Proxy shows as Offline after upgrading VMware Aria Operations (SaaS)
Article ID: 331408
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
- After upgrading the Cloud Proxy, it's status shows as Offline in the Product UI.
- The /var/log/haproxy-admin.log on the Cloud Proxy shows errors similar to:
Server PrxyRC_BE/VROPS_0 is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure", check duration: 161ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Cause
This issue occurs when there is an SSL inspection (by firewall or network proxy) enabled on the local network side and the chain of certificates used as part of the SSL inspection are not added to Cloud Proxy.
Resolution
To resolve this issue, follow the Add root CA certificate to Cloud Proxy after deployment section of Add CA certs while deploying a cloud proxy in VMware Aria Operations (83698).
Workaround:
To workaround the issue, the Cloud Proxy should be whitelisted in the network firewall configuration.
Alternatively, you can set ssl verify to none on the Cloud Proxy.
To do this, complete the following steps:
Workaround:
To workaround the issue, the Cloud Proxy should be whitelisted in the network firewall configuration.
Alternatively, you can set ssl verify to none on the Cloud Proxy.
To do this, complete the following steps:
- Log into the Cloud Proxy as root via SSH or Console.
- Run the following command to backup the /etc/haproxy/haproxy.cfg file:
cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.bak
- Open /etc/haproxy/haproxy.cfg in a text editor.
- Change all occurrences of ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem to ssl verify none.
- Save and close the file.
- Run the following command to restart the haproxy and collector services:
service haproxy restart && service collector restart
Additional Information
To undo the workaround of setting ssl verify to none, complete the following:
- Log into the Cloud Proxy as root via SSH or Console.
- Run the following command to replace the /etc/haproxy/haproxy.cfg file with the backed up version:
mv /etc/haproxy/haproxy.bak /etc/haproxy/haproxy.cfg
- Run the following command to restart the haproxy and collector services:
service haproxy restart && service collector restart
Feedback
Yes
No
Powered by
