vSphere Configuration Profiles Draft-Precheck fails with 'Tunnel connection failed: 403 Forbidden'
search cancel

vSphere Configuration Profiles Draft-Precheck fails with 'Tunnel connection failed: 403 Forbidden'

book

Article ID: 435326

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

When performing a Draft-Precheck for vSphere Configuration Profiles (VCP), the operation fails.

The following error is observed in /var/log/vmware/vmware-updatemgr/vum-server/pluginrunner.log on the vCenter Server Appliance:

YYYY-MM-DDTHH:MM:SS error pluginrunner[########] [Originator@6876 sub=_scanInt opId=mainOpId] [pluginrunner 388] unable to download com.vmware.vcIntegrity plugins: https://vcenter.example.com:9087/vci/downloads/vcp-plugins.zip
Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 712, in urlopen
    self._prepare_proxy(conn)
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1014, in _prepare_proxy
    conn.connect()
  File "/usr/lib/python3.10/site-packages/urllib3/connection.py", line 374, in connect
    self._tunnel()
  File "/usr/lib/python3.10/http/client.py", line 925, in _tunnel
    raise OSError(f"Tunnel connection failed: {code} {message.strip()}")
OSError: Tunnel connection failed: 403 Forbidden

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 801, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3.10/site-packages/urllib3/util/retry.py", line 594, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='vcenter.example.com', port=9087): Max retries exceeded with url: /vci/downloads/vcp-plugins.zip (Caused by
 ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 403 Forbidden')))

Cause

  • This issue occurs when a proxy is configured on the vCenter Server, and the vSphere Lifecycle Manager (vLCM) / Pluginrunner service attempts to download the vcp-plugins.zip package through the proxy.
  • If the proxy does not permit the connection to the vCenter's own FQDN/IP or cannot resolve it, the tunnel connection is rejected with a 403 Forbidden error

Resolution

To resolve this issue, the vCenter Server's own identity must be bypassed by the proxy configuration.

Method 1: Update Proxy Settings via VAMI

  1. Log in to the vCenter Server Appliance Management Interface (VAMI) at https://<vCenter-IP>:5480
  2. Navigate to Networking > Proxy Settings.
  3. In the No Proxy field, add the vCenter Server's IPv4 address, FQDN, and short name as a comma-separated list.
  4. Click Save.

Method 2: Manually Update /etc/sysconfig/proxy

  1. Connect to the vCenter Server via SSH using root credentials.
  2. Open the proxy configuration file with a text editor: vi /etc/sysconfig/proxy
  3. Locate the NO_PROXY line and ensure it includes the vCenter FQDN and IP: NO_PROXY="localhost, 127.0.0.1, vcenter.example.com, 192.168.1.10" 
  4. Restart the vCenter services or the appliance to apply the changes: service-control --stop --all && service-control --start --all 

After applying these changes, retry the Draft-Precheck for vSphere Configuration Profiles.

Powered by Wolken Software