VASA Provider Registration Troubleshooting
search cancel

VASA Provider Registration Troubleshooting

book

Article ID: 327066

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSAN

Issue/Introduction

Symptoms:
After a rescan the VASA providers may not populate or they are not added for a new host. There are several possibilities for where the problem may be, and all should be checked.

This KB covers vSAN 7.0, 6.7 and vSAN 6.2-6.6.x.

Environment

VMware vSphere ESXi (All Versions)

Resolution

vSAN 6.7 and higher

  1. Is the VASA Provider running?
One possibility is the VASA provider is not running. In 6.7, there is no longer a vsanvpd service on the hosts. All troubleshooting must be done with vCenter.
  • Try to access https://<VC-IP>/vsanHealth/vsanvp/version.xml
    If this page can be accessed and shows version information, see below, it means vsanvp is working correctly.
    <vasa-provider>
    <supported-versions>
    <version id="4" serviceLocation="/vsanHealth/" vmomiServerVersion="newest"/>
    </supported-versions>
    </vasa-provider>
  • If the version page can't be accessed, please check vmware-vsan-health service's status by running the following command service-control --status vmware-vsan-health, example output:
    Running:
    vmware-vsan-health
  • If vmware-vsan-health is running, please check vsanvp logs in /var/log/vmware/vsan-health/vsanvp.log for the following message, "VSAN VP registration done". This means vsanvp has registered to sps.


vSAN 6.6 and below

  1. Is the VASA Provider running?

One possibility is that the VASA provider (vsanvpd) is not running on the host. This can be examined easily by checking the status of vsanvpd with the init script:

[root@hostname:~] /etc/init.d/vsanvpd status
vsanvpd is running.

If the vsanvpd is not running, start it manually:

[root@hostname:~] /etc/init.d/vsanvpd start
vsanvpd started

Recheck the service. If it fails again, examine the log file to determine what the error is, and examine the Knowledge Base, Bugzilla, etc. for a resolution.

[root@hostname:~] cat /var/run/log/vsanvpd.log
  1. Is the VASA Provider reachable?

If the VASA provider is running on the hosts, the issue may be related to network connectivity. The vCenter Server and the on-host VASA providers communicate over port 8080. This port must be open to register VASA providers. This is easy to check on either Windows or Linux vCenter.

  1.  Check for VASA accessibility

To examine for port liveness, connect to the VASA provider via port 8080 and determine if the VASA XML information is returned. This process varies between the vCenter Server Appliance (VCSA) and Windows vCenter.

Appliance:

Use the cURL utility to check the VASA Provider:
curl --insecure https://<host>:8080/version.xml

vsan-rvc:~ # curl --insecure https://brm-dell-vsan04.example.com:8080/version.xml
<vasa-provider><supported-versions><version id="2" serviceLocation="/vasa/services/vasaService"/></supported-versions></vasa-provider>
vsan-rvc:~ #

Windows:

Use a web browser to check the VASA Provider by navigating to https://<host>:8080/version.xml


If this type of XML response is not received even though the VASA provider is running, it indicates that something may be interfering with communication between the vCenter Server and the ESXi hosts over port 8080. Check the following:

  1. Check ESXi host firewalls

 Examine the host Security Profile and ensure that the vsanvp rule is enabled to permit host communication over port 8080:

  1. Check vCenter Server firewall
  • On Windows vCenter Server, check that the Windows Firewall is either disabled or that all VMware-installed rules are active. In addition, check for custom rules that may be interfering with port 8080 outbound or inbound.
  • On the VCSA, the firewall should be correctly configured by default.

If all host-side and vCenter firewalls are configured as expected but the VASA provider on the hosts is still inaccessible, it is very likely that a physical or virtual firewall may be interfering upstream - between vCenter Server and the ESXi hosts. Engage with the customer's network/firewall teams to make that determination.

  1. Examine VASA certificates

If the VASA provider is running and it is not reachable by vCenter Server, the problem may be related to certificates. VASA and SPBM use certificate exchange, and the vCenter Server must accept the VASA provider certificates.

Certificate-related problems will be called in the SPBM Java process's wrapper log. The location varies by vCenter Server type.

Windows vCenter Server%ProgramData%\VMware\vCenterServer\logs\vmware-sps\wrapper.log
VCSA/var/log/vmware/vmware-sps/wrapper.log

If certificate-related problems are reported, examine the KB, Bugzilla, etc. for guidance based on the error message.

In some cases, the VASA provider certificate may have a 0 Byte size. To resolve this, the host-side (provider) VASA certificates are required, These are stored on each ESXi host in /etc/vmware/ssl/

ls -lah /etc/vmware/ssl/
total 68
drwxr-xr-x    1 root     root         512 Mar 22 19:57 .
-r--r--r-T    1 root     root           0 Mar  4  2016 .#castore.pem
-r--r--r-T    1 root     root          41 Aug 13  2016 .#rui-for-netcpa.crt
-r--r--r-T    1 root     root          42 Aug 13  2016 .#rui-for-netcpa.key
-r-------T    1 root     root           0 Mar  4  2016 .#rui.bak
-r--r--r-T    1 root     root           0 Mar  4  2016 .#rui.crt
-r-------T    1 root     root           0 Mar  4  2016 .#rui.key
-r--r--r-T    1 root     root           0 Feb 17  2016 .#vsanvp_castore.pem
drwxr-xr-x    1 root     root         512 Mar 23 21:08 ..
-rw-r--r--    1 root     root       12.5K Mar 21 18:43 castore.pem
-rw-r--r--    1 root     root        1.1K Mar 21 18:43 rui-for-netcpa.crt
-rw-r--r--    1 root     root        1.6K Mar 21 18:43 rui-for-netcpa.key
-r--------    1 root     root        6.2K Mar 21 18:43 rui.bak
-rw-r--r--    1 root     root        1.4K Mar 21 18:43 rui.crt
-r--------    1 root     root        1.7K Mar 21 18:43 rui.key
-rw-r--r--    1 root     root        3.0K Mar 21 18:45 vsanvp.pem
-rw-r--r--    1 root     root           0 Mar 21 18:43 vsanvp_castore.pem
-rw-r--r--    1 root     root          64 Mar 22 19:57 vsanvp_secret

It is usually the vsanvp_castore.pem that is 0 Bytes. In this case you can SCP a good copy from another host and restart /etc/init.d/vsanmgmtd and the issue will be cleared.

In certain rare circumstances, usually in vSphere 5.5, the VASA provider may need to be manually registered. To accomplish this, the host-side (provider) VASA certificate is required, This is stored on each ESXi host in /etc/vmware/ssl/vsanvp.pem 

Manual VASA Provider registration
  1. Ensure that the VASA Provider is running and accessible per steps 1 and 2. 
  2. Navigate to the Storage Providers section of vCenter Server, and click the green "+" icon to manually register a provider.
  3. Name the provider for the ESXi host
  4. The URL is the VASA provider URL, as described in step 2. 
  5. The username that must be used is "VsanUser"
  6.  The password must be fetched from the MOB and then pasted into the correct field. (https://<hostIP>/mob/?moid=vsanSystem&method=fetchVsanSharedSecret&vmodl=1)
  7.  Fetch the VASA certificate from the host (/etc/vmware/ssl/vsanvp.pem) and attach it by checking the "Use storage provider certificate" check box.



Powered by Wolken Software