Unable to encrypt VM when I/O filters are offline.
search cancel

Unable to encrypt VM when I/O filters are offline.

book

Article ID: 418969

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

  • Unable to encrypt or decrypt the VM as the options is grayed out.
  • KMS or Native Key provider (NKP) is configured and connected.
    • Right-click the virtual machine and select Edit Settings.
    • Select the VM Options tab, "Encrypt VM" option is grayed out.
  • IO filters are offline.
    • Browse to vCenter Server in the vSphere Web Client navigator.
    • Click the Configure tab, and click Storage Providers.
    • In the Storage Providers list storage provider appear offline. 

  • The following entries are recorded in vCenter server log /var/log/vmware/vmware-sps/sps.log

    YYYY-MM-DDTHH:MM:SS [pool-12-thread-7] DEBUG opId=sps-VICNotifier-392808-799 com.vmware.spbm.domain.policy.Profile - Data service policy namespace: vmwarevmcrypt
    YYYY-MM-DDTHH:MM:SS [pool-12-thread-7] ERROR opId=sps-VICNotifier-392808-799 com.vmware.spbm.domain.policy.Profile - Exception occurred while finding the applicable sub-profile
    com.vmware.vim.binding.vmodl.fault.InvalidArgument: No VASA Provider for schema namespace (vmwarevmcrypt) found.

Environment

VMware vCenter Server 8.x

Resolution

To further isolate the issue, verify that vCenter can establish a connection to the ESXi host on port 9080 by following these steps.

  1. Execute the curl command within the vCenter shell

    curl -v telnet://<Esxi-host-FQDN>:9080

    Expected output:
    * Host <Esxi-host-FQDN>:9080 was resolved.
    * IPv6: (none)
    * IPv4: #.#.#.#
    *   Trying #.#.#.#:9080...
    * Connected to Esxi-host-FQDN (#.#.#.#) port 9080

  2. Download the version.xml file from the ESXi host to verify connectivity.


    wget https://<Esxi-host-FQDN>:9080/version.xml  --no-check-certificate

    Expected output:
    Connecting to #.#.#.#:9080... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 188 [text/xml]
    Saving to: ‘version.xml’

    version.xml                   100%[=====================================================>]     188  --.-KB/s    in 0s

  3. If the curl command from vCenter fails, or vCenter Server is unable to download the version.xml file from the ESXi host, work with your network team to ensure that communication on port 9080 is permitted between vCenter and the ESXi host.

    1. Ensure the port 9080 is unblocked.
    2. Also verify that SSL handshake is allowed on port 9080

  4. After unblocking the ports, restart the SPS service to bring the I/O filters online.

Should the problem persist, proceed to unregister the I/O providers by following the steps in: Storage providers show as offline on vCenter server | sps.log file generates excessive entries

Powered by Wolken Software