Monday, 25 January 2016

Connecting A ESXi 5.5 U3b Host To A vCenter With A Lower Version.

Written by Suhas Savkoor



Lately, I have been seeing more and more cases with VMware Support regarding, "Unable to connect an ESXi host to a vCenter after upgrading it to 5.5 U3b" The common error you get when you try adding this host to a vCenter is

" Cannot contact the specified host. The host may not be available on the network, a network configuration problem may exist, or the management service on this host is not responding "


This is because, with 5.5 U3b SSLv3 is disabled, however, on a vCenter that is on a version lower than 5.5 U3b has SSLv3 enabled.
To resolve this, the best method would be to upgrade your vCenter to 5.5 U3b.

If you do not want to upgrade vCenter, then you can enable SSLv3 on that upgraded ESXi host. However, this is not a best practice and is not recommended by VMware, because it defeats the purpose of the upgrade. However, if you want to, then you can proceed with the below steps:

There are two parts were you need to enable SSLv3:

A) Enabling SSLv3 for Hostd - Port 443
1. Open a SSH to this ESXi host.
2. Browse to this location using the below command:
# cd /etc/vmware/rhttpproxy
3. Backup the config file:
# cp config.xml config.xml.bak
4. Edit the file using the below command (Press i to begin edit)
# vi config.xml
Locate the <vmacore>, then locate the <ssl> Under <ssl> add the following entry:
<sslOptions>16924672</sslOptions>
5.Save the file by pressing Esc and then typing :wq!

B) Enabling SSLv3 for Port 902 (Required to connect to vCenter)
1. From the same SSH of the host, run the below command:
# esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s ""

Restart the rhhtpproxy using the below command:
# /etc/init.d/rhttpproxy restart
That's it, now you can connect this ESXi 5.5 U3b host to a lower version of vCenter. However, again, this would not be a recommended practice as this will expose the host to SSLv3 POODLE vulnerability.