Search fails and Hardware Health and Health Status plug-ins are disabled in the vSphere Client
search cancel

Search fails and Hardware Health and Health Status plug-ins are disabled in the vSphere Client

book

Article ID: 342880

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The vSphere Client does not connect to the Inventory service when installed on Windows Server 2003 or Windows XP, and has these symptoms:
  • When you try to search the vSphere Client inventory, you see the error message:

    Login to the query service failed. A communication error occurred while sending data to the server. (The underlying connection was closed: An unexpected error occurred on a send.)

  • In the viclient-x-xxxx.log (located at: %USERPROFILE%\AppData\Local\VMware\vpx), you see entries similar to:
Exception rethrown at [0]:
...
at System.Net.HttpWebRequest.GetResponse()
at VirtualInfrastructure.Utils.WebDownload.GetResponse()
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
...
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
[ :Error :P: 7] YYYY-MM-DD 12:54:12.808 possible failure processing clients.xml
System.Net.WebException: The client could not send a complete request to the server. (The underlying connection was closed: An unexpected error occurred on a send.)
at VirtualInfrastructure.Utils.WebQuery.LocalizeWebException(WebException exception)
at VirtualInfrastructure.Utils.WebQuery.Request(String url, Nullable`1 timeoutSecs)
at VirtualInfrastructure.Utils.ClientsXml.ParseXml(Int32 timeoutSecs)
at VpxClient.Login.ClientsXmlLoader.TrySinglePort(ClientsXml clientXml, Exception& activeError)
System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send.
Server stack trace:
  • While trying to sort by name at the cluster level, you see the error:

    Error when trying to sort : Login to query service failed: The underlying connection was closed: An unexpected error occurred on a send. Authentication failed because the remote party has closed the transport stream

  • Hardware Health and Health Status plug-ins are disabled and cannot be viewed in the vSphere Client.

  • In the performance overview page, you see the error:

    This program cannot display the webpage


Environment

VMware vCenter Server 5.1.x
VMware vCenter Server Appliance 5.1.x
VMware vCenter Server 5.5.x

Resolution

This issue occurs due to increased security of the cipher strengths which are, by default, used by the VMware Management Web Services components. Due to this change that was introduced in vSphere 5.1, the host operating system is required to support a higher cipher strength to be able to connect to these components.
In Windows Vista and Windows Server 2008, the proper cipher strengths are built into the operating system. However, for older Windows operating systems, a Microsoft hotfix must be applied to add the supported cipher strengths.
For more information on the cipher strengths that get added with the hotfix, see the Microsoft Knowledge Base article 948963.
Note: The preceding link was correct as of March 18, 2012. If you find a link is broken, provide feedback and a VMware employee will update the link.

Resolution

Windows 2003 (32-bit and 64-bit Edition)
For Windows Server 2003 (32-bit and 64-bit), apply the appropriate hotfix to the machine on which the vSphere Client is installed.

If the vSphere Client is installed on the Windows Server where vCenter Server is installed, you must also apply the patch to that Windows Server.

To download the hotfix for your system, see the Microsoft Knowledge Base article 948963.

Notes:
  • You must reboot the machine after applying the hotfix.
  • Non-English versions of the hotfixes are also available on the Microsoft site. Click the Show hotfixes for all platforms and languages link on the Hotfix Request page to view the available versions.
Windows XP (32-bit)

There is no hotfix available for Windows XP (32-bit). Microsoft currently only provides limited support for Windows XP, and as a result the hotfix has not been released for it. To resolve this issue, you must upgrade your host operating system to Windows Vista or later, which support the use of high cipher strengths.

If you are unable to upgrade your environment, you may try adding less secure cipher strengths back to the configuration, which allows communication to proceed successfully.
To add less secure cipher strengths back to the configuration:
Cautions:
  • This is not a recommended configuration and is provided for backward compatibility purposes only. The below information is provided as-is, is unsupported and to be used at your own risk.
  • Implementing the below configuration in which the cipher strength is reduced may not work for Inventory searching via the vSphere Client connected to vCenter Server.
  1. Log in as an administrator to the server where vCenter Server is installed.
  2. Navigate to the tomcat configuration directory.

    Note: By default, this directory is located at C:\Program Files\VMware\Infrastructure\tomcat\conf\. In vCenter Server Appliance, the file is located at /usr/lib/vmware-vpx/tomcat/conf.

  3. Open the server.xml file using a text editor.
  4. Change the Connector text to add support for weaker ciphers by changing it from:

    <Connector SSLEnabled="true" acceptCount="100" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA" connectionTimeout="20000" executor="tomcatThreadPool" keystoreFile="${bio-vmssl.keyFile.name}" keystorePass="${bio-vmssl.SSL.password}" keystoreType="PKCS12" maxKeepAliveRequests="15" port="${bio-vmssl.https.port}" protocol="HTTP/1.1" redirectPort="${bio-vmssl.https.port}" scheme="https" secure="true"></Connector>

    To:

    <Connector SSLEnabled="true" acceptCount="100" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA <span style="COLOR: #ff0000">,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" connectionTimeout="20000" executor="tomcatThreadPool" keystoreFile="${bio-vmssl.keyFile.name}" keystorePass="${bio-vmssl.SSL.password}" keystoreType="PKCS12" maxKeepAliveRequests="15" port="${bio-vmssl.https.port}" protocol="HTTP/1.1" redirectPort="${bio-vmssl.https.port}" scheme="https" secure="true"></Connector>

    Note: Add only the red text as indicated and do not change any other options. This adds back support for less secure cipher strengths for backward compatibility purposes.

  5. Restart the VMware VirtualCenter Management Web Services service. For more information, see Stopping, starting, or restarting vCenter services (1003895).

Additional Information

For translated versions of this article, see: