After changing ESXI host DNS servers, ESXI host login times out.
search cancel

After changing ESXI host DNS servers, ESXI host login times out.

book

Article ID: 403214

calendar_today

Updated On:

Products

VMware vSphere ESX 8.x VMware vSphere ESX 7.x

Issue/Introduction

While trying to access ESXI host from management IP, post putting in the credentials. ESXI login times out.

 

 

Symptoms:-

In esxi, auth.log, we see below errors

YYYY-MM-DD T0HH:MM:SS sshd[2109831]: pam_unix(sshd:session): session closed for user root
YYYY-MM-DD T0HH:MM:SS sshd[2128480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IPAddress>  user=root
YYYY-MM-DD T0HH:MM:SS sshd[2128478]: error: PAM: Authentication failure for root from <IPAddress>
YYYY-MM-DD T0HH:MM:SS sshd[2128478]: Connection closed by authenticating user root <IPAddress> port 50580 [preauth]
YYYY-MM-DD T0HH:MM:SS.222Z sshd[2140523]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IPAddress>  user=root
YYYY-MM-DD T0HH:MM:SS sshd[2140521]: error: PAM: Authentication failure for root from <IPAddress>
YYYY-MM-DD T0HH:MM:SS sshd[2140521]: Connection closed by authenticating user root <IPAddress> port 41244 [preauth]
YYYY-MM-DD T0HH:MM:SS sshd[2169582]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IPAddress>  user=root
YYYY-MM-DD T0HH:MM:SS sshd[2169580]: error: PAM: Authentication failure for root from <IPAddress>

 

If we search domain name in hostd.log we get below entries

YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Transitioning domain '<domainname>' to ONLINE state
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Could not transition domain '<domainname>' to ONLINE state. Error 9502
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Found domain '<domainname>' to be offline while resolving its objects.
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Transitioning domain '<domainname>' to ONLINE state
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Could not transition domain '<domainname>' to ONLINE state. Error 9502
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Found domain '<domainname>' to be offline while resolving its objects.
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Transitioning domain '<domainname>' to ONLINE state
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Could not transition domain '<domainname>' to ONLINE state. Error 9502
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Found domain '<domainname>' to be offline while resolving its objects.
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Transitioning domain '<domainname>' to ONLINE state
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Could not transition domain '<domainname>' to ONLINE state. Error 9502
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Found domain '<domainname>' to be offline while resolving its objects.
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Transitioning domain '<domainname>' to ONLINE state
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Could not transition domain '<domainname>' to ONLINE state. Error 9502
YYYY-MM-DD T0HH:MM:SS  lwsmd[2103055]: [lsass] Found domain '<domainname>' to be offline while resolving its objects.

 

As soon as we change the DNS servers to previous IPs, everything works fine.

Both, new and old  DNS servers  are pingable from ESXI hosts and vCenter.

 

Please Note:-  This behaviour is only observed in ESXI hosts that are domain joined.

 

 

Environment

ESXI 7.x
ESXI 8.x

 

Cause

DNS Dependency: If AD integration introduced DNS settings that are broken or unreachable (e.g., pointing to domain controllers that can't resolve names), even local logins may hang or timeout—especially the UI, which can stall on background domain queries.

Resolution

Check for domain name resolution from ESXI host.

Run below command and verify if nslookup is timing out

nslookup <domainname> desired output is the result of all name servers that are resolving the name.

For Example:-

Expected result

[[email protected] :~ ] nslookup <domainname>

Server:     <xx.xx.xx.xx>

Address:  <xx.xx.xx.xx>

Name :

Address:  <xx.xx.xx.xx>

 

Address: <xx.xx.xx.xx>

However if we get connection time out, this means that either ESXi host is not able to connect to DNS server or packets over port UDP 53 are being filtered out.

For example:-

Result that we get.

 

 

[[email protected] :~ ] nslookup <domainname>

;; connection timed out; no servers could be reached

Verify if ESXI host is able to ping the DNS server.

 

After performing above tests, please follow below steps:-

 

1) In vSphere client, select the ESXI host, click on configure and find "Firewall" under "System". Then click on "Edit" option.

 

2) Apply a filter of "DNS Client"

3) Drop-down the settings as shown below and under IP list, verify is correct DNS server IP is listed.

4) If IP is wrong, either update the correct IP or check the option "Allow connections from any IP"

5) Save the settings. 

6) Now you should be able to login ESXI host without any issues.

 

 

 

 

Powered by Wolken Software