Cloud Proxy Fails to Integrate with vCenter Due TLS Handshake Reset
search cancel

Cloud Proxy Fails to Integrate with vCenter Due TLS Handshake Reset

book

Article ID: 421937

calendar_today

Updated On:

Products

VMware Aria Operations (formerly vRealize Operations) 8.x

Issue/Introduction

The Cloud Proxy fails to integrate with the vCenter while connecting to the following endpoint:

 
https://<VC-IP>/sdk

The vCenter Adapter in VMware Aria Operations reports a Connection reset error, and SSL/TLS handshake attempts do not return the vCenter certificate.
Cloud Proxy initially appears Offline, and after coming online, the secure API connection continues to fail.

TLS handshake resets are recorded on the vCenter side

Adapter logs showed TLS handshake failure and Connection reset when attempting to connect to https://<VC-IP>/sdk.
YYYY-MM-DDT05:14:16,318+0000 ERROR [Collector worker thread 13] (6325) com.integrien.adapter.vmware.VMwareAdapter.initializeVimClient - Unable to connect to VC https://<VC-IP>/sdk
com.vmware.vim.vmomi.client.exception.ConnectionException: https://<VC-IP>/sdk invocation failed with "java.net.SocketException: Connection reset"

openssl s_client from the Cloud Proxy failed to retrieve the vCenter certificate.

vCenter Envoy logs reported TLS errors and resets from the Cloud Proxy IP.
YYYY-MM-DDT08:26:14.086Z info envoy[2834] [Originator@6876 sub=connection] [Tags: "ConnectionId":"1121301"] remote address:10.XX.XX.XX:32774,TLS_error:|33554536:system library:OPENSSL_internal:Connection reset by peer:TLS_error_end
YYYY-MM-DDT08:26:45.715Z info envoy[2834] [Originator@6876 sub=connection] [Tags: "ConnectionId":"1121310"] remote address:10.XX.XX.XX:46626,TLS_error:|33554536:system library:OPENSSL_internal:Connection reset by peer:TLS_error_end

Environment

Aria Operations 8.18

Cause

 

Incorrect DNS settings on the Cloud Proxy, resulting in the appliance showing offline.

Firewall/Security device resetting TLS handshake between Cloud Proxy and vCenter, preventing the SSL certificate exchange.

 

 

Resolution

  • Correct the DNS configuration on the Cloud Proxy so it can come online.

  • Update firewall/security policies to allow full TLS handshake on TCP 443 without SSL inspection or interception.

  • Validate using:

openssl s_client -connect <VC-IP>:443 -showcerts

to confirm that the vCenter certificate is returned.

  • Reattempt the vCenter integration from the Cloud Proxy, which completes successfully once the above issues are resolved.

Powered by Wolken Software