Peer cluster fails to be detected for vSAN Data Protection in vSphere Client
search cancel

Peer cluster fails to be detected for vSAN Data Protection in vSphere Client

book

Article ID: 433386

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms:

  •  After pairing of vCenter sites successfully, peer cluster fails to show up while trying to pair the vSAN clusters under vSAN Data Protection.

Environment

  • VMware Live Recovery 9.0.4

Cause

  • Issue is caused due to missing vSAN Data Protection service account in the SSO user groups of vCenter

  • In snapservice.log, following permission errors are seen as authorization fails due to missing VSAN Data Protection service account:

    (in /var/log/vmware/snapservice/snapservice.log)

    {"level":"error","timestamp":"2026-02-02T02:03:41.001Z","C":"auth/client.go:1450","message":"Failed to login to vc","error":"ServerFaultCode: Permission to perform this operation was denied.

    {"level":"error","timestamp":"2026-02-02T02:03:41.001Z","C":"auth/remote_client.go:305","message":"Failed to create remote VC client","RemoteSiteID":"########-####-####-####-############","error":"ServerFaultCode: Permission to perform this operation was denied.

    {"level":"error","timestamp":"2026-02-02T02:03:41.001Z","C":"remote/server.go:114","message":"Failed to create remote client","opID":"remote-vsphere-server-########-####-####-####-############","remote vsphere server":"########-####-####-####-############","SiteID":"########-####-####-####-############","error":"ServerFaultCode: Permission to perform this operation was denied."

    {"level":"error","timestamp":"2026-02-02T02:03:41.001Z","C":"sites/site.go:506","message":"Failed to create/re-initialize remote server","opID":"sites-retry-operation-f3b3","siteId":"########-####-####-####-############","error":"ServerFaultCode: Permission to perform this operation was denied."

  • Observed that the SnapService service account for one site (Site-A) was missing in user groups "SnapService Service Users" and "APS Administrators" in vCenter SSO of other site (Site-B).

    Following are commands to run to list the Snapservice service account user in User Groups of vCenter:

    root@<vCenter> [ ~ ] /usr/lib/vmware-vmafd/bin/dir-cli group list --name "SnapService Service User'
    Enter password for [email protected]:

    CN=com.vnmare.vsan.snapservice-########-####-####-####-############,cn=ServicePrincipals,dc=vsphere, dc=local


    root@<vCenter> [ ~ ] /usr/lib/vmware-vmafd/bin/dir-cli group list --name "SnapService Service User'
    Enter password for [email protected]:

    N=aps-########-####-####-####-############,cn=ServicePrincipals,de=vsphere,de=local
    N=com.wmare.vsan.snapservice-########-####-####-####-############,cn=ServicePrincipals,de=vsphere,dc=local

 

Resolution

Follow the steps provided below:

  1. Add vSAN Data Protection service account of Site-B in the user groups 'SnapService Service Users' and 'APS Administrators' by running following commands on vCenter Site-A

    # /usr/lib/vmware-vmafd/bin/dir-cli group modify --name "SnapService Service Users" --add com.vmware.vsan.snapservice-########-####-####-####-############
    # /usr/lib/vmware-vmafd/bin/dir-cli group modify --name "APS Administrators" --add com.vmware.vsan.snapservice-########-####-####-####-############


  2. Perform the above steps for vCenter at Site-B as well.

  3. Pair the vSAN Clusters from vSphere Client for vSAN Data Protection:

    Click on vCenter (select one of the two vCenters)  > Configure > vSAN > Data Protection > under 'Cluster Pairs', click on 'Pair Clusters'.

Powered by Wolken Software