VMware Cloud Foundation 3.10.1 | 08 SEP 2020 | Build 16808643

VMware Cloud Foundation 3.10.1.1 | 20 OCT 2020 | Build 17010744

VMware Cloud Foundation 3.10.1.2 | 20 NOV 2020 | Build 17206767

Check for additions and updates to these release notes.

What's New

NOTE: VMware Cloud Foundation 3.10.1 can be installed as a new deployment or upgraded from VMware Cloud Foundation 3.10.0.1. For more information, see Installation and Upgrade Information below.

The VMware Cloud Foundation (VCF) 3.10.1 release includes the following:

BOM Updates for the 3.10.1 Release: Updated Bill of Materials with new product versions.

VMware Cloud Foundation Bill of Materials (BOM)

The Cloud Foundation software product is comprised of the following software Bill-of-Materials (BOM). The components in the BOM are interoperable and compatible.

VMware Response to Apache Log4j Remote Code Execution Vulnerability: VMware Cloud Foundation is impacted by CVE-2021-44228, and CVE-2021-45046 as described in VMSA-2021-0028. To remediate these issues, see Workaround instructions to address CVE-2021-44228 & CVE-2021-45046 in VMware Cloud Foundation (KB 87095).

Software Component Version Date Build Number
Cloud Builder VM 3.10.1 8 SEP 2020 16808643
SDDC Manager 3.10.1 8 SEP 2020 16808643
VMware vCenter Server Appliance 6.7 Update 3j 28 APR 2020 16046470
VMware ESXi ESXi670-202008001 20 AUG 2020 16713306
VMware vSAN 6.7 P02 / U3g 28 APR 2020 15985001
VMware NSX Data Center for vSphere 6.4.8 10 AUG 2020 16724220
VMware NSX-T Data Center 2.5.2.1 03 SEP 2020 16784095
VMware Enterprise PKS 1.7 02 APR 2020 16116522
VMware vRealize Suite Lifecycle Manager 2.1 Patch 2 04 MAY 2020 16154511
VMware vRealize Log Insight 4.8 11 APR 2019 13036238
vRealize Log Insight Content Pack for NSX for vSphere 3.9 n/a n/a
vRealize Log Insight Content Pack for Linux 2.0.1 n/a n/a
vRealize Log Insight Content Pack for vRealize Automation 7.5+ 1.0 n/a n/a
vRealize Log Insight Content Pack for vRealize Orchestrator 7.0.1+ 2.1 n/a n/a
vRealize Log insight Content Pack for NSX-T 3.8.2 n/a n/a
vSAN Content Pack for Log Insight 2.2 n/a n/a
vRealize Operations Manager 7.5 11 APR 2019 13165949
vRealize Automation 7.6 11 APR 2019 13027280
VMware Horizon 7 7.10.0 17 SEP 2019 14584133

Note:

  • vRealize Log Insight Content Packs are deployed during the workload domain creation.
  • VMware Solution Exchange and the vRealize Log Insight in-product marketplace store only the latest versions of the content packs for vRealize Log Insight. The Bill of Materials table contains the latest versions of the packs that were available at the time VMware Cloud Foundation is released. When you deploy the Cloud Foundation components, it is possible that the version of a content pack within the in-product marketplace for vRealize Log Insight is newer than the one used for this release.
  • To remediate VMSA-2020-0007 (CVE-2020-3953 and CVE-2020-3954) for vRealize Log Insight 4.8, you must apply the vRealize Log Insight 4.8 security patch. For information on the security patch, see KB article 79168. ​
  • For this release, you can install the vRealize Suite 2019 products instead of those listed in the BOM. These include vRealize Suite Lifecycle Manager 8.1, vRealize Log Insight 8.1.1, vRealize Operations 8.1, and vRealize Automation 8.1 along with Workspace ONE Access. For prescriptive guidance on deploying and configuring these products with Cloud Foundation 3.10, see Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10.

VMware Software Edition License Information

The SDDC Manager software is licensed under the Cloud Foundation license. As part of this product, the SDDC Manager software deploys specific VMware software products.

The following VMware software components deployed by SDDC Manager are licensed under the Cloud Foundation license:

  • VMware ESXi
  • VMware vSAN
  • VMware NSX Data Center for vSphere

The following VMware software components deployed by SDDC Manager are licensed separately:

  • VMware vCenter Server
  • NOTE Only one vCenter Server license is required for all vCenter Servers deployed in a Cloud Foundation system.
  • VMware NSX-T
  • VMware Enterprise PKS
  • VMware Horizon 7
  • VMware vRealize Automation
  • VMware vRealize Operations
  • VMware vRealize Log Insight and content packs
  • NOTE Cloud Foundation permits limited use of vRealize Log Insight for the management domain without the purchase of a vRealize Log Insight license.

For details about the specific VMware software editions that are licensed under the licenses you have purchased, see the Cloud Foundation Bill of Materials (BOM) section above.

For general information about the product, see VMware Cloud Foundation.

Supported Hardware

For details on supported configurations, see the VMware Compatibility Guide (VCG) and the Hardware Requirements section on the Prerequisite Checklist tab in the Planning and Preparation Workbook.

Documentation

To access the Cloud Foundation documentation, go to the VMware Cloud Foundation product documentation.

To access the documentation for VMware software products that SDDC Manager can deploy, see the product documentation and use the drop-down menus on the page to choose the appropriate version:

Browser Compatibility and Screen Resolutions

The Cloud Foundation web-based interface supports the latest two versions of the following web browsers except Internet Explorer:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Internet Explorer: Version 11

For the Web-based user interfaces, the supported standard resolution is 1024 by 768 pixels. For best results, use a screen resolution within these tested resolutions:

  • 1024 by 768 pixels (standard)
  • 1366 by 768 pixels
  • 1280 by 1024 pixels
  • 1680 by 1050 pixels

Resolutions below 1024 by 768, such as 640 by 960 or 480 by 800, are not supported.

Installation and Upgrade Information

VMware Cloud Foundation 3.10 can be installed as a new deployment or upgraded from VMware Cloud Foundation 3.9.1. You can also use the skip-level upgrade tool to upgrade to VMware Cloud Foundation 3.10 from versions earlier than 3.9.1.

In addition to the release notes, see the VMware Cloud Foundation Upgrade Guide for information about the upgrade process.

Installing as a New Release

The new installation process has three phases:

Phase One: Prepare the Environment

The VMware Cloud Foundation Planning and Preparation Guide provides detailed information about the software, tools, and external services that are required to implement a Software-Defined Data Center (SDDC) with VMware Cloud Foundation, using a standard architecture model.

Phase Two: Image all servers with ESXi

Image all servers with the ESXi version mentioned in the Cloud Foundation Bill of Materials (BOM) section. See the VMware Cloud Foundation Architecture and Deployment Guide for information on installing ESXi.

Phase Three: Install Cloud Foundation 3.10

Refer to the VMware Cloud Foundation Architecture and Deployment Guide for information on deploying Cloud Foundation.

Upgrading to Cloud Foundation 3.10

You can upgrade to Cloud Foundation 3.10 from 3.9.1. You can also use the skip-level upgrade tool to upgrade to VMware Cloud Foundation 3.10 from versions earlier than 3.9.1. For information on upgrading to 3.10, refer to the VMware Cloud Foundation Upgrade Guide.

VMware Cloud Foundation 3.10.0.1 Release Information

VMware Cloud Foundation 3.10.1.1 includes bug and security fixes.

You can upgrade to Cloud Foundation 3.10.1.1 from a 3.10.1 deployment, or you can use the skip-level upgrade tool to upgrade to VMware Cloud Foundation 3.10.1.1 from versions earlier than 3.10.1. For upgrade information, refer to the VMware Cloud Foundation Upgrade Guide.

Cloud Foundation 3.10.1.1 contains the following BOM updates:

Software Component Version Date Build Number
SDDC Manager 3.10.1.1 20 OCT 2020 17010744
VMware ESXi ESXi670-202010001 20 OCT 2020 16773714
VMware NSX-T Data Center 2.5.2.2 14 OCT 2020 17003648

SDDC Manager 3.10.1.1 addresses the following:

SDDC Manager 3.10.1.1 contains security fixes for Photon OS packages PHSA-2020-3.0-0086 to PHSA-2020-3.0-0103 published here: https://github.com/vmware/photon/wiki/Security-Advisories-3

ESXi670-202010001 addresses the following issue:

OpenSLP as used in ESXi has a use-after-free issue. This issue might allow a malicious actor with network access to port 427 on an ESXi host to trigger a use-after-free in the OpenSLP service resulting in remote code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned identifier CVE-2020-3992 to this issue. For more information, see VMware Security Advisory VMSA-2020-0023.

NSX-T Data Center 2.5.2.2 addresses the following issue:

VMware NSX-T contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX Manager. A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned identifier CVE-2020-3992 to this issue. For more information, see VMware Security Advisory VMSA-2020-0023.

VMware Cloud Foundation 3.10.1.2 Release Information

You can upgrade to VMware Cloud Foundation 3.10.1.2 from a 3.10.1.1 deployment, or you can use the skip-level upgrade tool to upgrade to VMware Cloud Foundation 3.10.1.2 from versions earlier than 3.10.1.1. For upgrade information, refer to the VMware Cloud Foundation Upgrade Guide.

VMware Cloud Foundation 3.10.1.2 contains the following BOM updates:

Software Component Version Date Build Number
SDDC Manager 3.10.1.2 24 NOV 2020 17206767
VMware ESXi ESXi670-202011002 19 NOV 2020 17167734
VMware vCenter Server Appliance 6.7 U3l 19 NOV 2020 17138064

SDDC Manager 3.10.1.2 addresses the following issue:

SDDC Manager 3.10.1.2 contains security fixes for Photon OS packages PHSA-2020-3.0-0140 to PHSA-2020-3.0-0162 published here: https://github.com/vmware/photon/wiki/Security-Advisories-3.

ESXi670-202010002 addresses the following issues:

OpenSLP as used in ESXi has a use-after-free issue. This issue might allow a malicious actor with network access to port 427 on an ESXi host to trigger a use-after-free in the OpenSLP service resulting in remote code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2020-3992 to this issue. For more information, see VMware Security Advisory VMSA-2020-0023.1.

VMware ESXi contains a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine might exploit this issue to execute code as the virtual machine's VMX process running on the host. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2020-4004 to this issue. For more information, see VMSA-2020-0026.

VMware ESXi contains a privilege-escalation vulnerability that exists in the way certain system calls are being managed. A malicious actor with privileges within the VMX process only, might escalate their privileges on the affected system. Successful exploitation of this issue is only possible when chained with another vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2020-4005 to this issue. For more information, see VMSA-2020-0026.

For information about other resolved issues, see the release notes for VMware ESXi 6.7, Patch Release ESXi670-202011002.

See the VMware vCenter Server 6.7 Update 3l Release Notes for information about the issues resolved in that release.

Resolved Issues

The following issue is resolved in this release.

  • Adding a cluster to a workload domain with 50 or more VMware ESXi nodes may fail

Known Issues

Bring-up Known Issues

  • Cloud Foundation Builder VM deployment fails with the "[Admin/Root] password does not meet standards" message

    When configuring the Cloud Foundation Builder admin and root passwords, the format restrictions are not validated. As a result, you can create a password that does not meet the requirements and the Cloud Foundation Builder VM deployment will fail.

    Workaround: When configuring the Cloud Foundation Builder, ensure that the password meets the following restrictions:

    • Minimum eight characters long
    • Must include at least one uppercase letter
    • Must include at least one lowercase letter
    • Must include at least one digit
    • Must include at least one special character

  • The Cloud Foundation Builder VM remains locked after more than 15 minutes.

    The VMware Imaging Appliance (VIA) locks out the user after three unsuccessful login attempts. Normally, the lockout is reset after fifteen minutes but the underlying Cloud Foundation Builder VM does not automatically reset.

    Workaround: Using SSH, log in as admin to the Cloud Foundation Builder VM, then switch to the root user. Unlock the account by resetting the password of the admin user with the following command.

    pam_tally2 --user=<user> --reset

  • The bring-up process fails at task stop TLS 1.0 on the vRealize Log Insight nodes

    The bring-up fails at the task stop TLS 1.0 on the vRealize Log Insight nodes with the following error Connect to 10.0.0.17:9543 [/10.0.0.17] failed: Connection refused (Connection refused). This issue has been observed in the slow environments after restarting a vRealize Log Insight node. The node does not start correctly and its API is not reachable.

    Workaround: Use the following procedure to work around this issue.

    1. Restart the failed bring-up execution in the Cloud Foundation Builder VM and open the bring-up logs.

      This will retry the failed the bring-up task which might still fail on the initial attempt. The log shows an unsuccessful connection to the vRealize Log Insight node.

    2. While bring-up is still running, use SSH to log in to the vRealize Log Insight node that is shown as failed in the bring-up log.
    3. Run the following command to determine the connection issue.

      loginsight-node-2:~ # service loginsight status

      It should confirm that the daemon is not running.

    4. Execute the following command:

      loginsight-node-2:~ # mv /storage/core/loginsight/cidata/cassandra/data/system ~/cassandra_keyspace_files

    5. Reboot the vRealize Log Insight node.
    6. Confirm that it is running.

      loginsight-node-2:~ # uptime

      18:25pm up 0:02, 1 user, load average: 3.16, 1.07, 0.39

      loginsight-node-2:~ # service loginsight status

      Log Insight is running.

    In a few minutes, the bring-up process should successfully establish a connection to the vRealize Log Insight node and proceed.

Upgrade Known Issues

  • The vRealize Automation upgrade reports the "Precheck Execution Failure : Make sure the latest version of VMware Tools is installed" message

    The vRealize Automation IaaS VMs must have the same version of VMware Tools as the ESXi hosts on which the VMs reside.

    Workaround: Upgrade VMware Tools on the vRealize Automation IaaS VMs.

  • Error upgrading vRealize Automation

    Under certain circumstances, upgrading vRealize Automation may fail with a message similar to:

    An automated upgrade has failed. Manual intervention is required. 
vRealize Suite Lifecycle Manager Pre-upgrade checks for vRealize Automation have failed: 
vRealize Automation Validations : iaasms1.rainpole.local : RebootPending : Check if reboot is pending : Reboot the machine. 
vRealize Automation Validations : iaasms2.rainpole.local : RebootPending : Check if reboot is pending : Reboot the machine. 
Please retry the upgrade once the upgrade is available again.

    1. Log-in into the first VM listed in the error message using RDP or the VMware Remote Console.
    2. Reboot the VM.
    3. Wait 5 minutes after the login screen of the VM appears.
    4. Repeat steps 1-3 for the next VM listed in the error message.
    5. Once you have restarted all the VMs listed in the error message, retry the vRealize Automation upgrade.

  • When there is no associated workload domain to vRealize Automation, the VRA VM NODES CONSISTENCY CHECK upgrade precheck fails

    This upgrade precheck compares the content in the logical inventory on the SDDC Manager and the content in the vRealize Lifecycle Manager environment. When there is no associated workload domain, the vRealize Lifecycle Manager environment does not contain information about the iaasagent1.rainpole.local and iaasagent2.rainpole.local nodes. Therefore the check fails.

    Workaround: None. You can safely ignore a failed VRA VM NODES CONSISTENCY CHECK during the upgrade precheck. The upgrade will succeed even with this error.

  • NSX Data Center for vSphere upgrade fails with the message "Host Prep remediation failed"

    After addressing the issue, the NSX Data Center for vSphere bundle no longer appears as an available update.

    Workaround: To complete the upgrade, manually enable the anti-affinity rules.

    1. Log in to the management vCenter Server using the vSphere Client.
    2. Click Menu > Hosts and Clusters and select the cluster on which host prep remediation failed (for example SDDC-Cluster1).
    3. Click Configure > Configuration > VM/Host Rules.
    4. Select NSX Controller Anti-Affinity Rule and click Edit.
    5. Select Enable rule and click OK.

    This completes the NSX Data Center for vSphere upgrade.

  • Lifecycle Management displays fatal error

    When the user password in the /opt/vmware/vcf/lcm/lcm-app/conf/application.properties file contains a backslash (\), Lifecycle Manager does not start and displays the fatal error Password authentication failed for user lcm.

    Workaround: Follow the steps below to resolve the error:

    1. SSH to the SDDC Manager VM.
    2. Type su to switch to root user.
    3. Open the /opt/vmware/vcf/lcm/lcm-app/conf/application.properties file, remove all backslashes (\) from the lcm.datasource.password field, and save the file.
    4. Run the command systemctl restart lcm-db.

  • Task panel does not show correct upgrade tasks for NSX-T workload domain upgrades

    When you upgrade NSX-T workload domains. the task panel does not show upgrade status correctly. This is a UI issue only and there is no impact on the upgrade workflow.

    Monitor upgrade status by navigating to the Update/Patches tab of the relevant workload domain:

    1. On the SDDC Manager Dashboard, click Inventory -> Workload Domains.
    2. In the Domain column, click the appropriate workload domain name.
    3. Click the Update/Patches tab.
    4. Monitor upgrade status.

  • Exception displayed when a scheduled NSX-T upgrade begins during an idle SDDC Manager session

    When a scheduled NSX-T upgrade begins during an idle SDDC Manager session, the following UI exception is displayed: Retrieving NSXT upgrade failed with unknown exception

    This is a UI issue only. There is no impact on the upgrade workflow.

    Refresh the web browser.

vRealize Suite Known Issues

  • vRealize Operations Manager: VMware Security Advisory VMSA-2021-0018

    VMSA-2021-0018 describes security vulnerabilities that affect VMware Cloud Foundation.

    • The vRealize Operations Manager API contains an arbitrary file read vulnerability. A malicious actor with administrative access to vRealize Operations Manager API can read any arbitrary file on server leading to information disclosure.The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned identifier CVE-2021-22022 to this issue.
    • The vRealize Operations Manager API has insecure object reference vulnerability. A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned identifier CVE-2021-22023 to this issue.
    • The vRealize Operations Manager API contains an arbitrary log-file read vulnerability. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can read any log file resulting in sensitive information disclosure. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned identifier CVE-2021-22024 to this issue.
    • The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned identifier CVE-2021-22025 to this issue.
    • The vRealize Operations Manager API contains a Server Side Request Forgery in multiple end points. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned identifiers CVE-2021-22026 and CVE-2021-22027 to this issue.

    Workaround: See KB 85452 for information about applying vRealize Operations Security Patches that resolve the issues.

  • The password update for vRealize Automation and vRealize Operations Manager may run infinitely or may fail when the password contains special character "%"

    Password management uses the vRealize Lifecycle Manager API to update the password of vRealize Automation and vRealize Operations Manager. When there is special character "%" in either of SSH or API or Administrator credential types of the vRealize Automation and vRealize Operations Manager users, then the vRealize Lifecycle Manager API hangs and doesn't respond to password management. There is a timeout of 5 mins and password management marks the operation as failed.

    Workaround:Retry the password update operation without the special character "%". Ensure that the passwords for all other vRealize Automation and vRealize Operations Manager accounts don't contain the "%" special character.

  • vRealize Log Insight installation gets stuck due to incorrect MTU configuration

    During deployment, Edge Service Gateways send frames with the MTU specified in the Universal Distributed Logical Router - MTU Size field in the deployment parameters file to the Top of Rack switches. If this MTU size is not configured correctly in your infrastructure, the vRealize Log Insight deployment may hang on an installation task after the Apply vRealize Log Insight License task.

    If any of these tasks remain incomplete for more than 30 minutes. follow the workaround below.

    1. Fix the routing between the Edge-vTEP network and ESXi-vTEP network
    2. SSH to the Cloud Builder VM.
    3. Switch to root:
      • sudo -i
    1. Restart the bring-up service:

    systemctl restart vcf-bringup

    Wait five minutes to get all services online.

    Retry the bring-up process.

Networking Known Issues

  • NSX Manager is not visible in the vSphere Web Client.

    In addition to NSX Manager not being visible in the vSphere Web Client, the following error message displays in the NSX Home screen: "No NSX Managers available. Verify current user has role assigned on NSX Manager." This issue occurs when vCenter Server is not correctly configured for the account that is logged in.

    Workaround: To resolve this issue, follow the procedure detailed in Knowledge Base article 2080740 "No NSX Managers available" error in the vSphere Web Client.

SDDC Manager Known Issues

  • Unable to delete VI workload domain enabled for vRealize Operations Manager from SDDC Manager.

    Attempts to delete the vCenter adapter also fail, and return an SSL error.

    Workaround: Use the following procedure to resolve this issue.

    1. Create a vCenter adapter instance in vRealize Operations Manager, as described in Configure a vCenter Adapter Instance in vRealize Operations Manager. This step is required because the existing adapter was deleted by the failed workload domain deletion.
    2. Follow the procedure described in Knowledge Base article 56946.
    3. Restart the failed VI workload domain deletion workflow from the SDDC Manager interface.

  • APIs for managing SDDC cannot be executed from the SDDC Manager Dashboard

    You cannot use the API Explorer in the SDDC Manager Dashboard to execute the APIs for managing SDDC (/v1/sddc).

    Workaround: None. These APIs can only be executed using the Cloud Builder as the host.

  • SDDC Manager cannot manage the passwords for the NSX Edges and UDLR/DLR deployed to support application virtual networking

    These passwords are not managed through the SDDC Manager Dashboard.

    Workaround: Refer to the NSX Data Center for vSphere documentation for information about how to update these passwords.

Workload Domain Known Issues

  • Adding host fails when host is on a different VLAN

    A host add operation can sometimes fail if the host is on a different VLAN.

    Workaround:

    1. Before adding the host, add a new portgroup to the VDS for that cluster.
    2. Tag the new portgroup with the VLAN ID of the host to be added.
    3. Add the Host. This workflow fails at the "Migrate host vmknics to dvs" operation.
    4. Locate the failed host in vCenter, and migrate the vmk0 of the host to the new portgroup you created in step 1. For more information, see Migrate VMkernel Adapters to a vSphere Distributed Switch in the vSphere product documentation.
    5. Retry the Add Host operation.

    NOTE: If you later remove this host in the future, you must manually remove the portgroup as well if it is not being used by any other host.

  • NSX Manager for VI workload domain is not displayed in vCenter

    Although NFS-based VI workload domains are created successfully, the NSX Manager VM is not registered in vCenter Server and is not displayed in vCenter.

    Workaround: To resolve this issue, use the following procedure:

    1. Log in to NSX Manager (http://<nsxmanager IP>).
    2. Navigate to Manage > NSX Management Service.
    3. Un-register the lookup service and vCenter, then re-register.
    4. Close the browser and log in to vCenter.

  • A vCenter Server on which certificates have been rotated is not accessible from a Horizon workload domain

    VMware Cloud Foundation does not support the certificate rotation on the Horizon workload domains.

    Workaround: See KB article 70956.

  • Deploying partner services on an NSX-T workload domain displays an error

    Deploying partner services on an NSX-T workload domain such as McAfee or Trend displays the “Configure NSX at cluster level to deploy Service VM” error.

    Workaround: Attach the Transport node profile to the cluster and try deploying the partner service. After the service is deployed, detach the transport node profile from the cluster.

  • If the witness ESXi version does not match with the host ESXi version in the cluster, vSAN cluster partition may occur

    vSAN stretch cluster workflow does not check the ESXi version of the witness host. If the witness ESXi version does not match the host version in the cluster, then vSAN cluster partition may happen.

    Workaround:

    1. Upgrade the witness host manually with the matching ESXi version using the vCenter VUM functionality.
    2. Replace or deploy the witness appliance matching with the ESXi version.

  • vSAN partition and critical alerts are generated when the witness MTU is not set to 9000

    If the MTU of the witness switch in the witness appliance is not set to 9000, the vSAN stretch cluster partition may occur.

    Workaround: Set the MTU of the witness switch in the witness appliance to 9000 MTU.

  • The certificate rotate operation on the second NSX-T domain fails

    Certificate rotation works on the first NSX-T workload domain in your environment, but fails on all subsequent NSX-T workload domains.

    Workaround: None

  • Operations on NSX-T workload domains fails if their host FQDNs include uppercase letters

    If the FQDNs of ESXi hosts in an NSX-T workload domain include uppercase letters, then the following operations may fail for the workload domain:

    • Add a host
    • Remove a host
    • Add a cluster
    • Remove a cluster
    • Delete the workload domain

    Workaround: See KB 76553.

  • Creating an NSX-T workload domain fails on the task "Add management domain vCenter as compute manager"

    This can happen if a previous attempt to create an NSX-T workload domain failed and Cloud Foundation was unable to clean up after the failed task.

    Workaround: Manually remove the NSX-T Data Center extension from the management vCenter Server and try to create the NSX-T workload domain again. See Remove NSX-T Data Center Extension from vCenter Server.

  • VI workload domain creation or expansion operations fail

    If there is a mismatch between the letter case (upper or lower) of an ESXi host's FQDN and the FQDN used when the host was commissioned, then workload domain creation and expansion may fail.

    Workaround: ESXi hosts should have lower case FQDNs and should be commissioned using lower case FQDNs.

  • Cluster is deleted even if VMs are up and running on the cluster

    When you delete a cluster, it gets deleted even if there are VMs running on the cluster. This includes critical VMs such as Edge VMs, which may prevent you from accessing your environment after the cluster gets deleted.

    Workaround: Migrate the VMs to a different cluster before deleting the cluster.

  • Workload domain operations fail if cluster upgrade is in progress

    Workload domain operations cannot be performed if one or more clusters are being upgraded. The UI does not block such oeprations during an upgrade.

    Workaround: Do not perform any operations on the workload domain when a cluster upgrade is in progress.

Security Operations Known Issues

  • Addition of members from PKS UAA to Harbor library fails when the certificate verification is enabled

    This issue occurs when Harbor does not honor the certificate chain under System Settings > Registry Root Certificate.

    Workaround:

    1. SSH into the SDDC Manager VM as the vcf user.
    2. Run the following command. Make sure to update the password of the admin user and the Harbor URL: curl -k -H'Content-type: application/json' -u admin:"< >" -XPUT https://harbor.vrack.vsphere.local/api/configurations -d '{"uaa_verify_cert":"false"}'

    Harbor is in the UAA authentication mode and it uses members from PKS UAA.

    To create a user in UAA:

    1. Connect through SSH to Ops Manager appliance
    2. Run the following:

    uaac target https://pks.vrack.vsphere.local:8443 --skip-ssl-validation

    uaac token client get admin

    uaac user add <<user-name> > --emails <<email> >

Multi-Instance Management Known Issues

  • Federation creation information not displayed if you leave the Multi-Instance Management Dashboard

    Federation creation progress is displayed on the Multi-Instance Management Dashboard. If you navigate to another screen and then return to the Multi-Instance Management Dashboard, progress messages are not displayed. Instead, an empty map with no Cloud Foundation instances are displayed until the federation is created.

    Workaround: Stay on the Multi-Instance Dashboard till the task is complete. If you have navigated away, wait for around 20 minutes and then return to the dashboard by which time the operation should have completed.

  • The federation creation progress is not displayed

    While federation creation is in progress, the SDDC manager UI displays the progress on the multi-site page. If you navigate into any other screen and come back to the multi-site screen, the progress messages are not displayed. An empty map with no VMware Cloud Foundation instances is displayed until the federation creation process completes.

    Workaround: None

  • Multi-Instance Management Dashboard operation fails

    After a controller joins or leaves a federation, Kafka is restarted on all controllers in the federation. It can take up to 15 minutes for the federation to stabilize. Any operations performed on the dashboard during this time may fail.

    Workaround: Re-try the operation.

API Known Issues

  • Unversionsed APIs are not Supported

    Unversioned APIs in Cloud Foundation have been deprecated.

    Use Cloud Foundation public APIs.

check-circle-line exclamation-circle-line close-line
Scroll to top icon