vmkernel logs indicate FTCpt warnings in ESXi host
Article ID: 407113
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
- vmkernel logs indicate FTCpt warnings
- ESXi - /var/log/vmkwarning.log
[YYYY-MM-DD] Wa(180) vmkwarning: cpu162:2099030)WARNING: FTCpt: 2684: (0 pri) Error reading hello: Bad parameter
[YYYY-MM-DD] Wa(180) vmkwarning: cpu162:2099030)WARNING: FTCpt: 2944: Error starting connection (8000 ms): Bad parameter
[YYYY-MM-DD] Wa(180) vmkwarning: cpu190:2099516)WARNING: VMotionServer: 367: Invalid message type for new connection: 790. Expecting message of type INIT (0 or 31).
[YYYY-MM-DD] Wa(180) vmkwarning: cpu162:2099030)WARNING: FTCpt: 232: (0 pri) Error reading hello: got 33555222 33554795: Bad parameter- ESXi - /var/log/vmkernel.log
[YYYY-MM-DD] In(182) vmkernel: cpu190:2099516)VMotionServer: 385: Error reading from pending connection: Connection reset by peer
[YYYY-MM-DD] In(182) vmkernel: cpu190:2099516)MigrateNet: vm 2099516: 3282: Accepted connection from <###.###.###.###>:####
[YYYY-MM-DD] In(182) vmkernel: cpu190:2099516)MigrateNet: vm 2099516: 3370: dataSocket 0x4328948a65d0 receive buffer size is 563272Environment
- VMware vSphere 8.x
- VMware vSphere 7.x
Cause
The FT and vMotion warning alerts start whenever the host is accepting a connection from the Security Scanner Server's IP address (the Security Scanner Server's IP address doesn’t belong to the Management, vStorage, or vMotion network)
The Security Scanner Server's IP address periodically performs scans of all hosts looking for known vulnerabilities.
Resolution
It is recommended to isolate vMotion traffic to a private, non-routable network and limit port access.
Scanning the vMotion network is considered as anti-pattern, because:
- vMotion traffic isn’t encrypted by default, so it should be isolated and not exposed anyway.
- External entities should never be able to connect to those ports in the first place.
Additional Information
Feedback
Yes
No
Powered by
