vSphere Replication shows inaccessible under Site Recovery plugin
search cancel

vSphere Replication shows inaccessible under Site Recovery plugin

book

Article ID: 393481

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms:

  • vSphere Replication shows "Not Accessible" from Site Recovery UI page as below:



  • Clicking on the 'i' next to 'Not accessible' shows the full error as:
    "The vSphere Replication Management Server is not accessible. Check the Site Recovery integration plug-in logs for possible causes." 

  • Replication jobs for the VMs work without any issues.

  • The vSphere replication appliance can be accessible directly using the VAMI and DR pages. vSphere replication appliance VAMI login works fine: https://#########:5480/   

Validation:

  • From VC, /var/log/vmware/vSphere-ui/logs/vpshere_client.virgo.log, there is an event for "Plugin error with no healthy stream"

####-##-##T##:##:##.211+05:30] [ERROR] nio-127.0.0.1-5090-exec-2808 70258511 108018 200595 com.vmware.vise.mvc.controllers.PluginServiceController. An error occurred while contacting the plugin server (com.vmware.drui.plugin:9.0.2.########:-##########) dynamic extension SPI endpoint (/plugins/com.vmware.drui.plugin~9.0.2.########~##########/###.##.#.##-443/drplugin//rest/dynamic-items /vm/actions). com.vmware.vise.plugin.filter.exception.PluginServerDynamicSpiException: Plugin Server dynamic uri endpoint 'http://#########:1080/external-vecs/http1/########.###.local/443/plugins/com.vmware.drui.plugin~9.0.2.24401761~647188613/###.##.#.##-443/drplugin//rest/dynamic-items/vm/actions' returned an error: no healthy upstream at com.vmware.vise.plugin.filter.impl.PluginDynamicExtensionFilteringServiceImpl.pluginServerDynamicUriFiltering(PluginDynamicExtensionFilteringServiceImpl.java:194) at sun.reflect.GeneratedMethodAccessor4744.invoke(Unknown Source)

Environment

VMware vSphere Replication 8.x
VMware vSphere Replication 9.x

Cause

The error caused because hostname of the vSphere Replication trying to connect does not match the Common Name (CN) or Subject Alternative Name (SAN) in the assigned vSphere Replication SSL certificate.

For Reference:

  • From VR, opt/vmware/support/logs/dr-client-plugin/duplugin.log, observed "Certificate mismatch error"

    ####-##-## 10:46:16,891 [-0] ERROR com.vmware.dr.plugin.handlers.dashboard.DraasCheckHandler   - Unable to get DRaaS check flag at URL: java.lang.Exception: Unable to get DRaaS check flag at URL: https://###.##.#.##/####/isvmc..
    2025-03-31 10:46:16,891 [srm-reactive-thread-16] WARN  com.vmware.dr.plugin.handlers.dashboard.DraasCheckHandler ######-####-####-####-##########- DrRequestHandlerError:
    java.lang.Exception: Unable to get DRaaS check flag at URL: https://###.##.#.##/####/isvmc.
            at com.vmware.dr.plugin.handlers.dashboard.DraasCheckHandler$RequestCallback.fail(DraasCheckHandler.java:113)
            at com.vmware.dr.plugin.handlers.dashboard.DraasCheckHandler$RequestCallback.fail(DraasCheckHandler.java:113)
            at com.vmware.dr.plugin.handlers.dashboard.DraasCheckHandler$RequestCallback.failed(DraasCheckHandler.java:98)
            at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:137)
            at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.executionFailed(DefaultClientExchangeHandlerImpl.java:101)
            at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:432)
            at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.exception(HttpAsyncRequestExecutor.java:163)
            at org.apache.http.impl.nio.client.InternalIODispatch.onException(InternalIODispatch.java:82)
            at org.apache.http.impl.nio.client.InternalIODispatch.onException(InternalIODispatch.java:40)
            at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:125)
            at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
            at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
            at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
            at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
            at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
            at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
            at java.base/java.lang.Thread.run(Unknown Source)
    Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name '###.##.#.##' does not match the certificate subject provided by the peer (C=##, ST=#########, L=### ####, OU=SRM, O="VMware, Inc.", CN=##########.###.local)
            at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:217 

  • In certain instances, vCenter UI logs report that the VR certificate generated is not valid which is generated with CN=<VR-IP>. VR-IP is the eth0/eth1 IP address of the VR appliance.
    (In such instances, both DNS and IP in Certificate Subject Alternative Name, are set with VR eth0 IPs. DNS should be set with FQDN which is also the hostname of the VR appliance.)

    in /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log:

    [####-##-##T16: 36:28. 879+06:00] [ERROR] p-nio-127.0.0.1-5090-exec-64   com.vmware.vise.mvc.exception.GlobalExceptionHandler   Exception handled while processing request for /ui/certificate-ui/ctrl/certificates/chain-of-trust:  com.vmware.vapi.std.errors.InternalServerError: InternalServerError (com.vmware.vapi.std.errors.internal_server_error) => {

    messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = vapi.bindings.method.impl.unexpected,
    defaultMessage = Provider method implementation threw unexpected exception: com.vmware.vapi.std.errors.Error,
    args = [com.vmware.vapi.std.errors.Error],
    params = <null>,
    localized = <null>
    }, LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = com.vmware.certificatemanagement.error,
    defaultMessage = Internal Server Error (Certificate bearing subject C=US, ST=California, L=Palo Alto, OU=SRM, O=VMware\, Inc., CN=<VR-IP> is not a valid CA certificate. Please retry with a valid certificate chain),

    args = [Certificate bearing subject C=US, ST=California, L=Palo Alto, OU=SRM, O=VMware\, Inc., CN=<VR-IP> is not a valid CA certificate. Please retry with a valid certificate chain],

    params = <null>,
    localized = <null>

    data = <null>,
    errorType = INTERNAL_SERVER_ERROR

Resolution

Login to the vSphere Replication appliance VAMI page and update the certificate to match CN/SAN of VR hostname.

  • Log in to the vSphere Replication Appliance Management Interface as admin.

  • Click on the Certificate option, then click Change. Verify that the DNS value is set with FQDN and IP is the eth0 of the vSphere Replication Appliance. 

  • Once updated, reconfigure the vSphere Replication Appliance to re-register to vCenter with the newly generated certificate.
    (In vSphere Replication Appliance Management interface > Summary > Reconfigure)

    Refer Reconfigure General vSphere Replication Settings

Note: If the vSphere Replication appliance Certificates is valid (with FQDN already) then perform Reconfiguration of vSphere Replication only and Do not regenerating certificate.

For Reference Reconfigure General vSphere Replication Settings

The issue occurs due to service disconnect or unavailable HBR-Agent.

Powered by Wolken Software