VMware Cloud Foundation | 29 AUG 2023

Async Patch Tool | 29 AUG 2023 | Build 22310615

Check for additions and updates to these release notes.

What's New

The Async Patch Tool is a utility that allows you to apply critical patches to certain VMware Cloud Foundation components (NSX Manager, vCenter Server, and ESXi) outside of VMware Cloud Foundation releases. The Async Patch Tool also supports ESXi and VxRail Manager patching of VMware Cloud Foundation on VxRail and is supported with VMware Cloud Foundation 4.2.1 and later.

If you are upgrading an async patched system from VMware Cloud Foundation 4.x to 4.y, you must use the Async Patch Tool to enable the upgrade (-r, --enableVCFUpgrade). If you are upgrading an async patched system from VMware Cloud Foundation 4.x to 5.x, you do not need to use the Async Patch Tool to enable the upgrade. For more information, see the Async Patch Tool documentation.

See KB 88287 for information about which async patches are supported with your version of VMware Cloud Foundation. The Knowledge Base article also includes information about supported upgrade paths for VMware Cloud Foundation instances that include an async patch.

Resolved Issues

  • Offline Use Case: Rerun of a failed enable patch workflow errors out due to unavailability of VxRail bundle.

  • Async Patch tool enable patch precheck fails with error -ENABLE_PATCH_PRECHECK_FAILED -Unexpected exception thrown: null

Known Issues

  • Workload Domain enabled 7.0.451 async patch failed with error "Incompatible products found"

    On environments with SDDC Manager updated to 5.0, enabling VxRail Manager patches may have issues writing AP tool Interoperability validations (Writing ESXi product).


    1. Login to SDDC Manager.

    2. Switch to root user.

    3. Change the directory to/opt/vmware/vcf/lcm/lcm-app/conf.

    4. In the LifeCyle Management application-prod.properties file add the following property (to exclude ESX_HOST in the supported product types):


    5. Restart LCM . 

    Restart the enable patch workflow from AP tool.

  • Bundle clean up script fails to clean up async patch bundle on vLCM based clusters

    AP Tool disable all fails to clean up async patch bundle on vLCM based clusters with error BUNDLE_CLEANUP_FAILED.

    Workaround: See KB 89719.

  • Async patch is not available to apply in the SDDC Manager UI

    After you use the Async Patch Tool to enable a patch and successfully upload the patch to the internal LCM repository on the SDDC Manager appliance, you may not be able to apply the patch. This can happen if a workload domain is in a failed state.

    Workaround: In the SDDC Manager UI, perform a precheck on all the workload domains where you intend to apply the patch and resolve any reported issues. After resolving the issues, the async patch bundle should become available to apply.

  • The SDDC Manager UI displays an unexpected source version when upgrading SDDC Manager

    After enabling upgrade for a VMware Cloud Foundation instance that includes an async patch, the SDDC Manager UI displays an unexpected source version for SDDC Manager. For example, if you apply an async patch to your VMware Cloud Foundation 4.2.1 instance, and then you enable an upgrade to VMware Cloud Foundation, the SDDC Manager shows as the source version (instead of showing the unexpected source version of SDDC Manager.

    Workaround: None. This is a cosmetic issue and has no impact on the upgrade.

  • It is not clear in the UI which bundle is the async patch bundle when other SDDC Manager bundles are available

    If other SDDC Manager bundles are uploaded onto the SDDC Manager appliance, it might be displayed along with the async patch bundle you have enabled (uploaded) using the Async Patch Tool on the "Available Updates" section of the UI. The async patch bundle might have a similar title to the other bundles. As a result, it might be harder to locate.

    Workaround: The uploaded async patch bundle can be identified by the following:

    • It will be the only "VMware Software Update" bundle in the list.

    • The bundle details have a Bundle ID with a suffix of -apTool to signify it is an async patch enabled by Async Patch Tool.

  • Async Patch Tool -l,--listAsyncPatch option fails

    Using the --productType, --ptype option with the -l, --listAsyncPatch option fails, unless you also provide a --sku.

    Workaround: Use both --productType, --ptype and --sku options when running the command to list async patches. For example:

    ./vcf-async-patch-tool --listAsyncPatch --depotUser user@vmware.com --productType VCENTER --sku VCF
  • Async Patch Tool fails with FAILED_VCF_PERMISSIONS_ON_SDDC_OUTPUT_DIRECTORY or RUNNING_ROOT_OPERATIONS_FAILED when running on a security-hardened SDDC Manager

    When running certain Async Patch workflows on an SDDC Manager that have been hardened following the VMware Cloud Foundation Security Technical Implementation Guide (STIG), the Async Patch Tool fails when attempting to run certain operations as root user. The AP tool logs mention the tool Received non-empty output for command that expect empty output.

    Workaround: Contact VMware Support.

  • Async patch bundles display non-standard version numbers in the SDDC Manager UI

    Async patch bundles include non-standard version numbers wherever information about the bundles is displayed in the SDDC Manager UI. For example, Version 1.1.1-000001 or Required Version 1.2.0-123456 as seen below.

    Async Patch Bundle Versioning



    Product Version

    Required Version: NSX Manager async patch bundle


    Required Version: ESXi async patch bundle


    Required Version: vCenter Server async patch bundle



    The non-standard version numbering does not apply to VxRail.

    Workaround: None. This is by design and ensures that async patches are prioritized and applied in the correct order.

  • Update history information for workload domains does not contain all updates

    When you deactivate all async patches from the SDDC Manager appliance, any update history for previously enabled or applied async patches is lost. No update history will be visible from the SDDC Manager UI or in the VMware Cloud Foundation API response. Deactivating all patches happens implicitly when you run the Async Patch Tool with the enable VCF upgrade option (-r, --enableVCFUpgrade). If you previously enabled an async patch, you must disable all patches before you can run the Async Patch Tool with the enable patch option (-e, --enableAsyncPatch) again.

    Workaround: View the Async Patch Tool upgrade_history logs to review the entire async patch update history. Logs are located in the /var/log/vmware/vcf/lcm/tools/asyncpatchtool directory on the SDDC Manager appliance.

  • Older install or upgrade bundles appear as available to download

    If SDDC Manager is connected to the VMware Depot, and you enable an async patch, older bundles, that are not required, may appear as available for download in the SDDC Manager UI (Lifecycle Management > Bundle Management > Bundles). For example, if you enable an async patch for vCenter Server 7.0 Update 3d, the bundle for vCenter Server 7.0 Update 2c may appear as available for download.

    Workaround: Remove the bundles that you do not require.

    1. Get the bundle ID for the bundle you want to remove.

      1. In the SDDC Manager UI, browse to Lifecycle Management > Bundle Management > Bundles.

      2. Find the bundle you want to remove and click View Details.

      3. Copy the bundle ID.

    2. SSH in to the SDDC Manager appliance using the vcf user account.

    3. Enter su to switch to the root user.

    4. Enter the following command, replacing <bundle id> with the bundle ID from step 1: python /opt/vmware/vcf/lcm/lcm-app/bin/bundle_cleanup.py <bundle id>

check-circle-line exclamation-circle-line close-line
Scroll to top icon