Veeam Error NFC storage connection

Veeam Backup Replication 7.0

Сообщение при выполнении backup-а:

Processing 'V02' Error: Client error: NFC storage connection is unavailable. Storage: [stg:52b935ee-ffdedee8-43b8-00199990ce08,nfchost:ha-host,conn:X2]. Storage display name: [R0-500GB].
Failed to create NFC download stream. NFC path: [nfc://conn:X2,nfchost:ha-host,stg:52b935ee-ffdedee8-43b8-00199990ce08@V02/V02.vmx].

Проверяем 902 порт:

# telnet 192.168.112.12 902
Trying 192.168.112.12...
Connected to 192.168.112.12.
Escape character is '^]'.
220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , VMXARGS supported, NFCSSL supported/t
^Z 
Connection closed by foreign host.

Посмотрим на файловую систему:

/vmfs/volumes/52b935ee-ffdedee8-43b8-00199990ce08/V02 # ls -la
total 22666272
drwxr-xr-x    1 root     root          2520 Aug 30 11:20 .
drwxr-xr-t    1 root     root          3780 Aug  4 07:01 ..
-rw-------    1 root     root     1610612736 Aug 30 11:20 V02-6d3a65ec.vswp
-rw-------    1 root     root       1311232 Aug 30 11:20 V02-ctk.vmdk
-rw-------    1 root     root     21474836480 Aug 30 11:39 V02-flat.vmdk
-rw-------    1 root     root          8684 Aug 30 11:20 V02.nvram
-rw-------    1 root     root           546 Aug 30 11:20 V02.vmdk
-rw-r--r--    1 root     root             0 May 19  2014 V02.vmsd
-rwxr-xr-x    1 root     root          3333 Aug 30 11:20 V02.vmx
-rw-------    1 root     root             0 Aug 30 11:20 V02.vmx.lck
-rw-r--r--    1 root     root          4363 May 17 13:18 V02.vmxf
-rwxr-xr-x    1 root     root          3332 Aug 30 11:20 V02.vmx~
-rw-r--r--    1 root     root        205433 May 17 12:08 vmware-12.log
-rw-r--r--    1 root     root        184615 May 17 12:22 vmware-13.log
-rw-r--r--    1 root     root        571144 Jun 28 10:59 vmware-14.log
-rw-r--r--    1 root     root        557878 Aug 30 10:44 vmware-15.log
-rw-r--r--    1 root     root        192096 Aug 30 11:24 vmware.log
-rw-------    1 root     root     115343360 Aug 30 11:20 vmx-V02-1832543724-1.vswp

Через Browse the Datastore файл *.vmx успешно загружается с сервера. Cчитаем, что на уровне прав проблемы нет.

Идем искать ошибки в логи. Находим:

# tail -f -n 200 /var/log/vmauthd.log
2017-08-30T11:57:43Z vmauthd[41310]: authd| I120: Disable sslv3
2017-08-30T11:57:43Z vmauthd[41310]: authd| I120: Connect from remote socket (192.168.112.16:52492).
2017-08-30T11:57:43Z vmauthd[41310]: authd| I120: Connect from 192.168.112.16
2017-08-30T11:57:43Z vmauthd[41310]: authd| I120: SSL Error: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
2017-08-30T11:57:43Z vmauthd[41310]: authd| W110: recv() FAIL: 1.
2017-08-30T11:57:43Z vmauthd[41310]: authd| W110: VMAuthdSocketRead: read failed.  Closing socket for reading.
2017-08-30T11:57:43Z vmauthd[41310]: authd| I120: Read failed.

Это и есть наша причина!
Ссылка на решение от Веднора – SSLV3 enable

Содержание решение

Solution
Caution: These steps expose the security vulnerabilities with SSLv3. This issue is resolved in VMware View 6.2, available at VMware Downloads. For more information, see VMware Horizon 6 version 6.2 Release Notes.

The SSLv3 support can be enabled for these ports and services:

CIM Port 5989
Authd Service Port 902
Enabling support for SSLv3 on CIM Port 5989 in ESXi
Create a backup copy of the /etc/sfcb/sfcb.cfg file.

Edit the /etc/sfcb/sfcb.cfg file to append the following line at the end of the file:

enableSSLv3: true

Note: If you have the line enableSSLv3: false in the file, change it to enableSSLv3: true

For Example:

cat /etc/sfcb/sfcb.cfg
# Generated by sfcb-config.py. Do not modify this header.
# VMware ESXi 6.0.0 build-3029758
#
basicAuthLib: sfcBasicPAMAuthentication
certificateAuthLib: sfcCertificateAuthentication
cimXmlFdHardLimit: 1024
cimXmlFdSoftLimit: 512
.
.
.
threadStackSize: 524288
useChunking: true
sslCipherList: HIGH:!DES-CBC3-SHA!CAMELLIA128-SHA!CAMELLIA256-SHA
enableSSLv3: true

Restart the SFCBD service with the command:

/etc/init.d/sfcbd-watchdog restart
Enabling support for SSLv3 on Authd service 902 in ESXi
Create a backup copy of the /etc/vmware/config file
Edit the /etc/vmware/config file to append the following line at the end of the file:

vmauthd.ssl.noSSLv3 = “false”

Note: If you have the line vmauthd.ssl.noSSLv3 = “true” in the file, change it to vmauthd.ssl.noSSLv3 = “false”

For Example:

cat /etc/vmware/config
libdir = “/usr/lib/VMware”
authd.proxy.nfc = “vmware-hostd:ha-nfc”
authd.proxy.nfcssl = “vmware-hostd:ha-nfcssl”
authd.proxy.vpxa-nfcssl = “vmware-vpxa:vpxa-nfcssl”
authd.proxy.vpxa-nfc = “vmware-vpxa:vpxa-nfc”
authd.fullpath = “/sbin/authd”
vmauthd.ssl.noSSLv3 = “false”

Restart the rhttpproxy service with the command:

/etc/init.d/rhttpproxy restart
Additional Information
For the related Veeam Knowledge Base article, see http://www.veeam.com/kb2063.

Follow these steps to enable SSLv3 protocol on hostd service for ESXi 6.0 U1b later.

By default SSLv3 is disabled. If you want to enable SSLv3, set the setting to empty by using the below command:

Login to ESXi through SSH.
Run the following command to get a list of disabled protocols for hostd:

esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols

Path: /UserVars/VMAuthdDisabledProtocols
Type: string
Int Value: 0
Default Int Value: 0
Min Value: 0
Max Value: 0
String Value:sslv3
Default String Value: sslv3
Valid Characters: *
Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

If SSLv3 is disabled, To enable SSLv3 is run the following command:

esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s “”

Restart the rhttpproxy services by running the following command:

/etc/init.d/rhttpproxy restart

Run the following command to get a list of enabled protocols for hostd:

esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols

Path: /UserVars/VMAuthdDisabledProtocols
Type: string
Int Value: 0
Default Int Value: 0
Min Value: 0
Max Value: 0
String Value:
Default String Value: sslv3
Valid Characters: *
Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

[collapse]