"Couldn't establish a connection to the VM web console" when a VM console is opened in Web Client
search cancel

"Couldn't establish a connection to the VM web console" when a VM console is opened in Web Client

book

Article ID: 397472

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Unable to launch the web console of a virtual machine from vCenter.
  • Accessing the web console directly from the ESXi host works as expected.
  • The issue occurs intermittently and affects random virtual machines.
  • At the time of the issue, review the VMware logs for further investigation.
  • vmware.log of vm 

/vmfs/volumes/<datastore name>/<vmfolder>/vmware.log
DD-MM-YYYYTHH-MM-SS In(05) mks - Expiring webmks ticket 696fc3...
DD-MM-YYYYTHH-MM-SS In(05) mks - Releasing webmks ticket 696fc3...
DD-MM-YYYYTHH-MM-SS In(05) vmx - VigorTransportProcessClientPayload: opID=m8uoufho-9406496-auto-5lm3l-h5:71211656-d2-cd-9767 seq=312003: Receiving MKS.IssueTicket request.
DD-MM-YYYYTHH-MM-SS In(05) vmx - SOCKET 83 (203) creating new listening socket on port -1
DD-MM-YYYYTHH-MM-SS In(05) vmx - Issuing new webmks ticket d1b879... (120 seconds)
DD-MM-YYYYTHH-MM-SS In(05) vmx - VigorTransport_ServerSendResponse opID=m8uoufho-9406496-auto-5lm3l-h5:71211656-d2-cd-9767 seq=312003: Completed MKS.IssueTicket request with messages in 232 US.
DD-MM-YYYYTHH-MM-SS In(05) mks - SOCKET 82 (203) AcceptCb fired, WS 0x35709B2080 created for parent 0x3570839680
DD-MM-YYYYTHH-MM-SS In(05) mks - Accepting connection for webmks ticket d1b879...
DD-MM-YYYYTHH-MM-SS In(05) mks - Expiring webmks ticket d1b879...
DD-MM-YYYYTHH-MM-SS In(05) mks - Releasing webmks ticket d1b879...

  • Verify the tokenservice.log for the vCenter

/var/log/vmware/sso/tokenservice.log
DD-MM-YYYYTHH-MM-SS ERROR tokenservice[79:tomcat-http--42] [CorId=xxxxxx-xxx-xxxx-xxx-xxxxxx OpId=] [com.vmware.vcenter.tokenservice.vapi.TokenExchangeProviderImpl] Exchange failed due to invalid grant:
com.vmware.vcenter.tokenservice.exceptions.InvalidGrant: Invalid SUBJECT token: tokenType=SAML2
        at com.vmware.vcenter.tokenservice.ExchangeFacadeImpl.parse(ExchangeFacadeImpl.java:191) ~[libtokenservice-server.jar:?]
        at com.vmware.vcenter.tokenservice.ExchangeFacadeImpl.exchange(ExchangeFacadeImpl.java:240) ~[libtokenservice-server.jar:?]
Caused by: com.vmware.identity.saml.InvalidTokenException: Token expiration date: Fri May 02 06:16:39 GMT 2025 is in the past.
        at com.vmware.identity.saml.impl.ServerValidatableSamlTokenImpl.validate(ServerValidatableSamlTokenImpl.java:261) ~[libsamlauthority.jar:?]
        at com.vmware.vcenter.tokenservice.codecs.String2ServerValidatableSamlToken.transform(String2ServerValidatableSamlToken.java:104) ~[libtokenservice-server.jar:?]
        at com.vmware.vcenter.tokenservice.codecs.String2ServerValidatableSamlToken.transform(String2ServerValidatableSamlToken.java:24) ~[libtokenservice-server.jar:?]
        at com.vmware.vcenter.tokenservice.ExchangeFacadeImpl.parse(ExchangeFacadeImpl.java:179) ~[libtokenservice-server.jar:?]

Environment

  • VMware vCenter Server 8.x

Cause

  • A mismatch in clock tolerance settings between the API Gateway SSO Service and the Token Service is causing token validation failures. The API Gateway uses a 10-minute (600,000 ms) clock tolerance when validating tokens, while the Token Service has a clock tolerance of zero. As a result, tokens still considered valid by the API Gateway are rejected as expired by the Token Service, leading to intermittent authentication failures.

Resolution

Workaround:

  • Use VMRC to access the console of the VM. 
Powered by Wolken Software