After upgrading from 10.4.x to 10.5.x vCloud Director UI is not accessible when using NSX Load Balancer
search cancel

After upgrading from 10.4.x to 10.5.x vCloud Director UI is not accessible when using NSX Load Balancer

book

Article ID: 369879

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • After upgrading from 10.4.x to 10.5.x VMware Cloud Director UI is not accessible when using NSX Load Balancer
  • Organizations do not show up in VMware Cloud Director UI
  • Log review of vcloud-container-debug.log can show the error:
    Error: Received fatal alert: handshake_failure 
  • No web access to VMware Cloud Director portal through public URL via DNS after version upgrade.

Environment

VMware Cloud Director 10.5.x
VMware NSX

Cause

This issue can be caused by NSX Load Balancer TLS ciphers are not matching with the default TLS ciphers for 10.5.x.

Resolution

Workaround is to set ciphers in 10.5.x to match what is enabled in 10.4.x.

Run the following for each vCloud Director node:

1. Update cipher disallow list

/opt/vmware/vcloud-director/bin/cell-management-tool ciphers -d

Output:
TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA

2. Confirm supported TLS ciphers

/opt/vmware/vcloud-director/bin/cell-management-tool ciphers -l

3. Apply changes

service vmware-vcd restart

Powered by Wolken Software