"Failed to connect to one or more vCenter Servers" error while logging into vCenter UI
search cancel

"Failed to connect to one or more vCenter Servers" error while logging into vCenter UI

book

Article ID: 420081

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When logging into the primary vCenter in an enhanced linked mode set up, the partner node is not seen in the vCenter UI.

  • Both vCenter servers report a normal vmdird status.
    /usr/lib/vmware-vmafd/bin/dir-cli state get

  • The showpartnerstatus command detects the partner vCenter, but the Host available status is reported as No, as shown in the example below:
    /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartnerstatus -h localhost -u administrator
    Password: XXXXXXXX
    Partner: <VCenter.FQDN>
    Host available: No

  • The /var/log/vmware/vmdird/vmdird.log on the vCenter Server contain multiple errors indicating failed LDAP bind attempts to the partner vCenter over port 389, as shown in the sample log excerpts

yyyy-mm-ddThh:mm:ss:t@139824866518592:INFO: Add Entry (cn=AttributeMapping-4,cn=LegacyAliasMappings,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local, EID 0)(from #.#.#.#)(by <vCenter.FQDN>@SSo.domain)(via Ext)(USN 27542,0)
yyyy-mm-ddThh:mm:ss:t@139824866518592:INFO: Add Entry (cn=AttributeMapping-5,cn=LegacyAliasMappings,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local, EID 0)(from #.#.#.#)(by<vCenter.FQDN>@SSo.domain(via Ext)(USN 27543,0)
yyyy-mm-ddThh:mm:ss:t@139826334520896:ERROR: VmDirSafeLDAPBindEx to (ldap://<vCenter.FQDN>@SSo.domain:389) failed. SRP(9127)
yyyy-mm-ddThh:mm:ss:t@139826334520896:ERROR: VmDirSafeLDAPBindEx to (ldap://<vCenter.FQDN>@SSo.domain:389) failed. SRP(9127)
yyyy-mm-ddThh:mm:ss:t@139826334520896:ERROR: VmDirLastProcessedLocalUSNFromServer failed. Error(4294967291)
yyyy-mm-ddThh:mm:ss:t@139826334520896:ERROR: VmDirValidateAndAutoCorrectLocalUsnWithPartner failed. Error(4294967291)
yyyy-mm-ddThh:mm:ss:t@140157441263168:INFO: ProcessAConnection: Operation is not yet implemented..
yyyy-mm-ddThh:mm:ss:t@140157441263168:ERROR: VmDirSendLdapResult: Request (Abandon), Error (LDAP_UNWILLING_TO_PERFORM(53)), Message (Operation is not yet implemented.), (0) socket (#.#.#.#)
yyyy-mm-ddThh:mm:ss:t@140157583873600:ERROR: VmDirSafeLDAPBindEx to (ldap://<vCenter.FQDN>@SSo.domain:389) failed. SRP(9127)
yyyy-mm-ddThh:mm:ss:t@140157583873600:ERROR: VmDirSafeLDAPBindEx to (ldap://<vCenter.FQDN>@SSo.domain:389) failed. SRP(9136)
yyyy-mm-ddThh:mm:ss:t@140157583873600:ERROR: VmDirSafeLDAPBindEx to (ldap://<vCenter.FQDN>@SSo.domain:389) failed. SRP(9127)
yyyy-mm-ddThh:mm:ss:t@140157583873600:ERROR: VmDirSafeLDAPBindEx to (ldap://<vCenter.FQDN>@SSo.domain:389) failed. SRP(9127)

Environment

  • VMware vCenter 7.x
  • VMware vCenter 8.x

Cause

The issue occurs due to a port connectivity failure between the vCenter Server instances participating in the Enhanced Linked Mode (ELM) configuration. This network communication interruption prevents the vCenter partners from establishing the required connection over the necessary ports.

Resolution

1) Validating Port 389 Communication

To verify connectivity over port 389 between two linked-mode vCenter Servers, run the following command from one vCenter using the FQDN of the partner vCenter:
curl -v https://<Partner_vCenter_FQDN>:389

2) A connection failure will produce output similar to the following example:

root@<VCSA> [ ~ ]# curl -v https://<vCenter.FQDN>@SSo.domain:389

* Host <VCenter.FQDN>@SSo.domain:389 was resolved.

* IPv6: (none)

* IPv4: #.#.#.#

*   Trying #.#.#.#:389...

* ALPN: curl offers http/1.1

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

*  CAfile: /etc/pki/tls/certs/ca-bundle.crt

*  CApath: none

* TLS connect error: error:00000000:lib(0)::reason(0)

* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <vCenter.FQDN>:389

* closing connection #0

curl: (35) TLS connect error: error:00000000:lib(0)::reason(0)

Action: If the output resembles the above, involve the customer’s network and firewall teams to ensure that port 389 is permitted between the linked-mode vCenter's.

3) After the network issue is resolved, re-run the curl command. A successful connection will show output similar to

root@<VCSA> [ ~ ]# curl -v https://<vCenter.FQDN>@SSo.domain:389

* Host <vCenter.FQDN>@SSo.domain:389 was resolved.

* IPv6: (none)

* IPv4: #.#.#.#

*   Trying #.#.#.#:389...

* Connected to <vCenter.FQDN>@SSo.domain (#.#.#.#) port 389

4) Once port 389 communication is successfully established between the vCenter's, the vmdir replication status between the linked-mode vCenter's should be fine.

Additional Information

Verify that required ports 389, 636, 2012, 2020, 8084 are open between all the vCenters in enhanced linked mode

Powered by Wolken Software