Veeam Error NFC storage connection
Veeam Backup Replication 7.0
Сообщение при выполнении backup-а:
Processing 'V02' Error: Client error: NFC storage connection is unavailable. Storage: [stg:52b935ee-ffdedee8-43b8-00199990ce08,nfchost:ha-host,conn:X2]. Storage display name: [R0-500GB].
Failed to create NFC download stream. NFC path: [nfc://conn:X2,nfchost:ha-host,stg:52b935ee-ffdedee8-43b8-00199990ce08@V02/V02.vmx].
Проверяем 902 порт:
# telnet 192.168.112.12 902
Trying 192.168.112.12...
Connected to 192.168.112.12.
Escape character is '^]'.
220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , VMXARGS supported, NFCSSL supported/t
^Z
Connection closed by foreign host.
Посмотрим на файловую систему:
/vmfs/volumes/52b935ee-ffdedee8-43b8-00199990ce08/V02 # ls -la
total 22666272
drwxr-xr-x 1 root root 2520 Aug 30 11:20 .
drwxr-xr-t 1 root root 3780 Aug 4 07:01 ..
-rw------- 1 root root 1610612736 Aug 30 11:20 V02-6d3a65ec.vswp
-rw------- 1 root root 1311232 Aug 30 11:20 V02-ctk.vmdk
-rw------- 1 root root 21474836480 Aug 30 11:39 V02-flat.vmdk
-rw------- 1 root root 8684 Aug 30 11:20 V02.nvram
-rw------- 1 root root 546 Aug 30 11:20 V02.vmdk
-rw-r--r-- 1 root root 0 May 19 2014 V02.vmsd
-rwxr-xr-x 1 root root 3333 Aug 30 11:20 V02.vmx
-rw------- 1 root root 0 Aug 30 11:20 V02.vmx.lck
-rw-r--r-- 1 root root 4363 May 17 13:18 V02.vmxf
-rwxr-xr-x 1 root root 3332 Aug 30 11:20 V02.vmx~
-rw-r--r-- 1 root root 205433 May 17 12:08 vmware-12.log
-rw-r--r-- 1 root root 184615 May 17 12:22 vmware-13.log
-rw-r--r-- 1 root root 571144 Jun 28 10:59 vmware-14.log
-rw-r--r-- 1 root root 557878 Aug 30 10:44 vmware-15.log
-rw-r--r-- 1 root root 192096 Aug 30 11:24 vmware.log
-rw------- 1 root root 115343360 Aug 30 11:20 vmx-V02-1832543724-1.vswp
Через Browse the Datastore файл *.vmx успешно загружается с сервера. Cчитаем, что на уровне прав проблемы нет.
Идем искать ошибки в логи. Находим:
# tail -f -n 200 /var/log/vmauthd.log
2017-08-30T11:57:43Z vmauthd[41310]: authd| I120: Disable sslv3
2017-08-30T11:57:43Z vmauthd[41310]: authd| I120: Connect from remote socket (192.168.112.16:52492).
2017-08-30T11:57:43Z vmauthd[41310]: authd| I120: Connect from 192.168.112.16
2017-08-30T11:57:43Z vmauthd[41310]: authd| I120: SSL Error: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
2017-08-30T11:57:43Z vmauthd[41310]: authd| W110: recv() FAIL: 1.
2017-08-30T11:57:43Z vmauthd[41310]: authd| W110: VMAuthdSocketRead: read failed. Closing socket for reading.
2017-08-30T11:57:43Z vmauthd[41310]: authd| I120: Read failed.
Это и есть наша причина! Ссылка на решение от Веднора - SSLV3 enable
Solution Caution
These steps expose the security vulnerabilities with SSLv3. This issue is resolved in VMware View 6.2, available at VMware Downloads. For more information, see VMware Horizon 6 version 6.2 Release Notes.
The SSLv3 support can be enabled for these ports and services:
CIM Port 5989 Authd Service Port 902 Enabling support for SSLv3 on CIM Port 5989 in ESXi Create a backup copy of the /etc/sfcb/sfcb.cfg file.
Edit the /etc/sfcb/sfcb.cfg file to append the following line at the end of the file:
enableSSLv3: true
Note: If you have the line enableSSLv3: false in the file, change it to enableSSLv3: true
For Example:
cat /etc/sfcb/sfcb.cfg # Generated by sfcb-config.py. Do not modify this header. # VMware ESXi 6.0.0 build-3029758 # basicAuthLib: sfcBasicPAMAuthentication certificateAuthLib: sfcCertificateAuthentication cimXmlFdHardLimit: 1024 cimXmlFdSoftLimit: 512 . . . threadStackSize: 524288 useChunking: true sslCipherList: HIGH:!DES-CBC3-SHA!CAMELLIA128-SHA!CAMELLIA256-SHA enableSSLv3: true
Restart the SFCBD service with the command:
/etc/init.d/sfcbd-watchdog restart Enabling support for SSLv3 on Authd service 902 in ESXi Create a backup copy of the /etc/vmware/config file Edit the /etc/vmware/config file to append the following line at the end of the file:
vmauthd.ssl.noSSLv3 = "false"
Note: If you have the line vmauthd.ssl.noSSLv3 = "true" in the file, change it to vmauthd.ssl.noSSLv3 = "false"
For Example:
cat /etc/vmware/config libdir = "/usr/lib/VMware" authd.proxy.nfc = "vmware-hostd:ha-nfc" authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl" authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl" authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc" authd.fullpath = "/sbin/authd" vmauthd.ssl.noSSLv3 = "false"
Additional Information For the related Veeam Knowledge Base article, see http://www.veeam.com/kb2063.
Follow these steps to enable SSLv3 protocol on hostd service for ESXi 6.0 U1b later.
By default SSLv3 is disabled. If you want to enable SSLv3, set the setting to empty by using the below command:
Login to ESXi through SSH. Run the following command to get a list of disabled protocols for hostd:
esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols
Path: /UserVars/VMAuthdDisabledProtocols Type: string Int Value: 0 Default Int Value: 0 Min Value: 0 Max Value: 0 String Value:sslv3 Default String Value: sslv3 Valid Characters: * Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.
If SSLv3 is disabled, To enable SSLv3 is run the following command:
esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s ""
Restart the rhttpproxy services by running the following command:
Run the following command to get a list of enabled protocols for hostd:
esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols
Path: /UserVars/VMAuthdDisabledProtocols Type: string Int Value: 0 Default Int Value: 0 Min Value: 0 Max Value: 0 String Value: Default String Value: sslv3 Valid Characters: \* Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.