Why you should always upgrade vCenter before ESXi

Here it is, scenario as many other, nothing different from other Nutanix POC’s I did for past few years. Existing vSphere vCenter 5.5 U1 and brand new Nutanix deployment with vSphere ESXi 5.5 U3b. But … there is always but. Generally, setup like this is supported by VMware but when I tried to add ESXi to vCenter I got error message

Cannot connect to specific host. The host may not be available on the network, a network configuration problem may exist, or the management services on this host may not be responding

After several minutes of troubleshooting potential network issues it was obvious to me I should look for cause in different place. Going though out vpxd.log in vCenter I found interesting entry:

Quick search on kb.vmware.com and I have found that in vSphere ESXi 5.5 U3b SSL v3 has been disabled due to POODLE vulnerability. In release notes VMware states:

Support for SSLv3 protocol is disabled by default
Note: In your vSphere environment, you need to update vCenter Server to vCenter Server 5.5 Update 3b before updating ESXi to ESXi 5.5 Update 3b. vCenter Server will not be able to manage ESXi 5.5 Update 3b, if you update ESXi before updating vCenter Server to version 5.5 Update 3b. For more information about the sequence in which vSphere environments need to be updated, refer KB 2057795.

VMware highly recommends you to update ESXi hosts to ESXi 5.5 Update 3b while managing them from vCenter Server 5.5 Update 3b.

VMware does not recommend re-enabling SSLv3 due to POODLE vulnerability. If at all you need to enable SSLv3, you need to enable the SSLv3 protocol for all components. For more information, refer KB 2139396.

Nevertheless, if you really do not want or you can’t (for different reasons),  upgrade vCenter server to version 5.5U3b then you can enable SSL3 back on ESXi hosts and join them to vCenter.

First edit config file /etc/vmware/rhttpproxy/config.xml  on ESXi host and find section <vmacore> and subsection <ssl> . Add line:

between <ssl> and </ssl> and restart rhttpproxy service by /etc/init.d/rhttpproxy restart  command.

NOTE: after this change you are running unsupported configuration by VMware

Artur Krzywdzinski

Artur is Consulting Architect at Nutanix. He has been using, designing and deploying VMware based solutions since 2005 and Microsoft since 2012. He specialize in designing and implementing private and hybrid cloud solution based on VMware and Microsoft software stacks, datacenter migrations and transformation, disaster avoidance. Artur holds VMware Certified Design Expert certification (VCDX #077).