Release Date: MAR 18, 2021

Build Details

Download Filename:	ESXi670-202103001.zip
Build:	17700523
Download Size:	476.7 MB
md5sum:	26f177706bce4a0432d9e8af016a5bad
sha1checksum:	0263a25351d003d34321a062b391d9fe5c312bd2
Host Reboot Required:	Yes
Virtual Machine Migration or Shutdown Required:	Yes

Bulletins

Bulletin ID	Category	Severity
ESXi670-202103401-BG	Bugfix	Critical
ESXi670-202103402-BG	Bugfix	Important
ESXi670-202103403-BG	Bugfix	Important
ESXi670-202103101-SG	Security	Important
ESXi670-202103102-SG	Security	Moderate
ESXi670-202103103-SG	Security	Moderate

Rollup Bulletin

This rollup bulletin contains the latest VIBs with all the fixes since the initial release of ESXi 6.7.

Bulletin ID	Category	Severity
ESXi670-202103001	Bugfix	Critical

IMPORTANT: For clusters using VMware vSAN, you must first upgrade the vCenter Server system. Upgrading only the ESXi hosts is not supported.
Before an upgrade, always verify in the VMware Product Interoperability Matrix compatible upgrade paths from earlier versions of ESXi, vCenter Server and vSAN to the current version.

Image Profiles

VMware patch and update releases contain general and critical image profiles. Application of the general release image profile applies to new bug fixes.

Image Profile Name

ESXi-6.7.0-20210304001-standard

ESXi-6.7.0-20210304001-no-tools

ESXi-6.7.0-20210301001s-standard

ESXi-6.7.0-20210301001s-no-tools

For more information about the individual bulletins, see the Download Patches page and the Resolved Issues section.

Patch Download and Installation

The typical way to apply patches to ESXi hosts is by using the VMware vSphere Update Manager. For details, see the About Installing and Administering VMware vSphere Update Manager.

You can update ESXi hosts by manually downloading the patch ZIP file from the VMware download page and installing VIBs by using the esxcli software vib update command. Additionally, you can update the system by using the image profile and the esxcli software profile update command.

For more information, see the vSphere Command-Line Interface Concepts and Examples and the vSphere Upgrade Guide.

Resolved Issues

The resolved issues are grouped as follows.

ESXi670-202103401-BG
ESXi670-202103402-BG
ESXi670-202103403-BG
ESXi670-202103101-SG
ESXi670-202103102-SG
ESXi670-202103103-SG
ESXi-6.7.0-20210304001-standard
ESXi-6.7.0-20210304001-no-tools
ESXi-6.7.0-20210301001s-standard
ESXi-6.7.0-20210301001s-no-tools

ESXi670-202103401-BG

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_vsan_6.7.0-3.143.17661912 VMware_bootbank_esx-update_6.7.0-3.143.17700523 VMware_bootbank_esx-base_6.7.0-3.143.17700523 VMware_bootbank_vsanhealth_6.7.0-3.143.17665851
PRs Fixed	2677275, 2664834, 2678794, 2681680, 2649392, 2680976, 2681253, 2701199, 2687411, 2664504, 2684836, 2687729, 2685806, 2683749, 2713397, 2706021, 2710158, 2669702, 2660017, 2685772, 2704741, 2645044, 2683393, 2678705, 2693303, 2695382, 2678639, 2679986, 2713569, 2682261, 2652285, 2697898, 2681921, 2691872, 2719154, 2711959, 2681786, 2659768, 2663643
CVE numbers	N/A

Updates esx-base, esx-update, vsan, and vsanhealth VIBs to resolve the following issues:

PR 2677275: If the Xorg process fails to restart while an ESXi host exits maintenance mode, the hostd service might become unresponsive
If the Xorg process fails to restart while an ESXi host exits maintenance mode, the hostd service might become unresponsive as it cannot complete the exit operation.

This issue is resolved in this release.
PR 2664834: A storage outage might cause errors in your environment due to a disk layout issue in virtual machines
After a brief storage outage, it is possible that upon recovery of the virtual machines, the disk layout is not refreshed and remains incomplete. As a result, you might see errors in your environment. For example, in the View Composer logs in a VMware Horizon environment, you might see a repeating error such as InvalidSnapshotDiskConfiguration.

This issue is resolved in this release.
PR 2678794: An ESX host becomes unresponsive due to failure of the hostd service
A missing NULL check in a vim.VirtualDiskManager.revertToChildDisk operation triggered by VMware vSphere Replication on virtual disks that do not support this operation might cause the hostd service to fail. As a result, the ESXi host loses connectivity to the vCenter Server system.

This issue is resolved in this release.
PR 2681680: If you disable RC4, Active Directory user authentication on ESXi hosts might fail
If you disable RC4 from your Active Directory configuration, user authentication to ESXi hosts might start to fail with Failed to authenticate user errors.

This issue is resolved in this release.
PR 2649392: Insufficient heap of a DvFilter agent might cause virtual machine migration by using vSphere vMotion to fail
The DVFilter agent uses a common heap to allocate space for both its internal structures and buffers, as well as for the temporary allocations used for moving the state of client agents during vSphere vMotion operations.
In some deployments and scenarios, the filter states can be very large in size and exhaust the heap during vSphere vMotion operations.
In the vmkernel logs, you see an error such as Failed waiting for data. Error bad0014. Out of memory.

This issue is resolved in this release.
PR 2680976: The hostd service might fail due to missing data while creating a ContainerView managed object
If not all data required for the creation of a ContainerView managed object is available during the VM Object Management Infrastructure session, the hostd service might fail.

This issue is resolved in this release. If you already face the issue, remove the third-party solution that you use to create ContainerView objects.
PR 2681253: An ESXi host might fail with a purple diagnostic screen due to a race condition in container ports
Due to a rare race condition, when a container port tries to re-acquire a lock it already holds, an ESXi host might fail with a purple diagnostic screen while virtual machines with container ports power off. You see a backtrace such as:
gdb) bt #0 LockCheckSelfDeadlockInt (lck=0x4301ad7d6094) at bora/vmkernel/core/lock.c:1820 #1 0x000041801a911dff in Lock_CheckSelfDeadlock (lck=0x4301ad7d6094) at bora/vmkernel/private/lock.h:598 #2 MCSLockRWContended (rwl=rwl@entry=0x4301ad7d6080, writer=writer@entry=1 '\001', downgrade=downgrade@entry=0 '\000', flags=flags@entry=MCS_ALWAYS_LOCK) at bora/vmkernel/main/mcslock.c:2078 #3 0x000041801a9124fd in MCS_DoAcqWriteLockWithRA (rwl=rwl@entry=0x4301ad7d6080, try=try@entry=0 '\000', flags=flags@entry=MCS_ALWAYS_LOCK, ra= ) at bora/vmkernel/main/mcslock.c:2541 #4 0x000041801a90ee41 in MCS_AcqWriteLockWithFlags (ra= , flags=MCS_ALWAYS_LOCK, rwl=0x4301ad7d6080) at bora/vmkernel/private/mcslock.h:1246 #5 RefCountBlockSpin (ra=0x41801aa753ca, refCounter=0x4301ad7d6070) at bora/vmkernel/main/refCount.c:565 #6 RefCountBlock (refCounter=0x4301ad7d6070, ra=ra@entry=0x41801aa753ca) at bora/vmkernel/main/refCount.c:646 #7 0x000041801aa3c0a8 in RefCount_BlockWithRA (ra=0x41801aa753ca, refCounter= ) at bora/vmkernel/private/refCount.h:793 #8 Portset_LockExclWithRA (ra=0x41801aa753ca, ps=0x4305d081c010) at bora/vmkernel/net/portset.h:763 #9 Portset_GetPortExcl (portID=1329) at bora/vmkernel/net/portset.c:3254 #10 0x000041801aa753ca in Net_WorldCleanup (initFnArgs= ) at bora/vmkernel/net/vmkernel_exports.c:1605 #11 0x000041801a8ee8bb in InitTable_Cleanup (steps=steps@entry=0x41801acaa640, numSteps=numSteps@entry=35, clientData=clientData@entry=0x451a86f9bf28) at bora/vmkernel/main/initTable.c:381 #12 0x000041801a940912 in WorldCleanup (world= ) at bora/vmkernel/main/world.c:1522 #13 World_TryReap (worldID= ) at bora/vmkernel/main/world.c:6113 #14 0x000041801a90e133 in ReaperWorkerWorld (data= ) at bora/vmkernel/main/reaper.c:425 #15 0x000041801ab107db in CpuSched_StartWorld (destWorld= , previous= ) at bora/vmkernel/sched/cpusched.c:11957 #16 0x0000000000000000 in ?? ()

This issue is resolved in this release.
PR 2701199: Virtual machines might power off during an NFS server failover
During an NFS server failover, the client reclaims all open files. In rare cases, the reclaim operation fails and virtual machines power off, because the NFS server rejects failed requests.

This issue is resolved in this release. The fix makes sure that reclaim requests succeed.
PR 2687411: You might not see NFS datastores using a fault tolerance solution by Nutanix mounted in a vCenter Server system after an ESXi host reboots
You might not see NFS datastores using a fault tolerance solution by Nutanix mounted in a vCenter Server system after an ESXi host reboots. However, you can see the volumes in the ESXi host.

This issue is resolved in this release.
PR 2664504: vSAN host fails while resizing or disabling large cache
vSAN hosts running in a non-preemptible context might tax the CPU when freeing up 256Gb or more of memory in the cache buffer. The host might fail with a purple diagnostic screen.

This issue is resolved in this release.
PR 2684836: If you use large block sizes, I/O bandwidth might drop
In some configurations, if you use block sizes higher than the supported max transfer length of the storage device, you might see a drop in the I/O bandwidth. The issue occurs due to buffer allocations in the I/O split layer in the storage stack that cause a lock contention.

This issue is resolved in this release. The fix optimizes the I/O split layer to avoid new buffer allocations. However, the optimization depends on the buffers that the guest OS creates while issuing I/O and might not work in all cases.
PR 2687729: ESXi hosts might fail with a purple diagnostic screen due to stuck I/O traffic
If a high priority task holds a physical CPU for a long time, I/O traffic might stop and eventually cause the ESXi host to fail with a purple diagnostic screen. In the backtrace, you see a message such as WARNING: PLOG: PLOGStuckIOCB:7729: Stuck IOs detected on vSAN device:xxx.

This issue is resolved in this release.
PR 2685806: Booting ESXi on hosts with a large number of VMFS datastores might take long
If you have set up a virtual flash resource by using the Virtual Flash File System (VFFS), booting an ESXi hosts with a large number of VMFS datastores might take long. The delay is due to the process of comparing file types, VFFS and VMFS.

This issue is resolved in this release. The fix removes the file types comparison.
PR 2683749: Virtual machines with a virtual network device might randomly become unresponsive without a backtrace
In rare cases, virtual machines with a virtual network device might randomly become unresponsive and you need to shut them down. Attempts to generate a coredump for diagnostic reasons fail.

This issue is resolved in this release.
PR 2713397: After the hostd service restarts, the bootTime property of an ESXi host might change
Boot time is recalculated on every start of the hostd service. The VMkernel only provides the uptime of the ESXi host. Timers do not move synchronously and as a result, on hostd restart, the boot time might change, back or forth.

This issue is resolved in this release.
PR 2706021: vSAN reports component creation failure when available capacity exceeds required capacity
When vSAN reports that the required capacity is less than the available capacity, the corresponding log message might be misleading. The values reported for Required space and Available space might be incorrect.

This issue is resolved in this release.
PR 2710158: You must manually add the claim rules to an ESXi host for FUJITSU ETERNUS storage
You must manually add the claim rules to an ESXi host for FUJITSU ETERNUS AB/HB Series storage arrays.

This issue is resolved in this release. This fix sets Storage Array Type Plugin (SATP) to VMW_SATP_ALUA, Path Selection Policy (PSP) to VMW_PSP_RR, and Claim Options to tpgs_on as default for FUJITSU ETERNUS AB/HB Series storage arrays.
PR 2669702: A vSAN host might fail with a purple diagnostic screen due to slab metadata corruption
A vSAN host might fail with a purple diagnostic screen due to a Use-After-Free (UAF) error in the LSOM/VSAN slab. You can observe the issue in the following stack:
cpu11:2100603)0x451c5f09bd68:[0x418027d285d2]vmk_SlabAlloc@vmkernel#nover+0x2e stack: 0x418028f981ba, 0x0, 0x431d231dbae0, 0x451c5f09bde8, 0x459c836cb960 cpu11:2100603)0x451c5f09bd70:[0x418028f5e28c][email protected]#0.0.0.1+0xd stack: 0x0, 0x431d231dbae0, 0x451c5f09bde8, 0x459c836cb960, 0x431d231f7c98 cpu11:2100603)0x451c5f09bd80:[0x418028f981b9]LSOM_Alloc@LSOMCommon#1+0xaa stack: 0x451c5f09bde8, 0x459c836cb960, 0x431d231f7c98, 0x418028f57eb3, 0x431d231dbae0 cpu11:2100603)0x451c5f09bdb0:[0x418028f57eb2][email protected]#0.0.0.1+0x5f stack: 0x1, 0x459c836cb960, 0x418029164388, 0x41802903c607, 0xffffffffffffffff cpu11:2100603)0x451c5f09bde0:[0x41802903c606][email protected]#0.0.0.1+0x87 stack: 0x459c836cb740, 0x0, 0x43218d3b7c00, 0x43036e815070, 0x451c5f0a3000 cpu11:2100603)0x451c5f09be20:[0x418029165075][email protected]#0.0.0.1+0xfa stack: 0x0, 0x418027d15483, 0x451bc0580000, 0x418027d1c57a, 0x26f5abad8d0ac0 cpu11:2100603)0x451c5f09bf30:[0x418027ceaf52]HelperQueueFunc@vmkernel#nover+0x30f stack: 0x431d231ba618, 0x431d231ba608, 0x431d231ba640, 0x451c5f0a3000, 0x431d231ba618 cpu11:2100603)0x451c5f09bfe0:[0x418027f0eaa2]CpuSched_StartWorld@vmkernel#nover+0x77 stack: 0x0, 0x0, 0x0, 0x0, 0x0

This issue is resolved in this release.
PR 2660017: In the vSphere Client, you see hardware health warning with status Unknown
In the vSphere Client, you see hardware health warning with status Unknown for some sensors on ESXi hosts.

This issue is resolved in this release. Sensors that are not supported for decoding are ignored and are not included in system health reports.
PR 2685772: The wsman service might become unresponsive and stop accepting incoming requests until restarted
Due to internal memory leaks, the memory usage of the wsman service on some servers might increase beyond the max limit of 23 MB. As a result, the service stops accepting incoming requests until restarted. The issue affects Dell and Lenovo servers.

This issue is resolved in this release. However, the fix applies specifically to Dell servers.
PR 2704741: The hostd service intermittently becomes unresponsive and virtual machine snapshots time out
In some environments, the vSphere Storage Appliance (VSA) plug-in, also known as Security Virtual Appliance (SVA), might cause the hostd service to become intermittently unresponsive during the creation of a TCP connection. In addition, virtual machine snapshots might time out. VSA is not supported since 2014.

This issue is resolved in this release. For earlier versions, remove the plug-in is removed from /usr/lib/vmware/nas_plugins/lib64 and /usr/lib/vmware/nas_plugins/lib32 after every ESXi reboot.
PR 2645044: An unlocked spinlock might cause an ESXi host to fail with a purple diagnostic screen when restarting a virtual machine on a MSCS cluster
In rare cases, an unlocked spinlock might cause an ESXi host to fail with a purple diagnostic screen when restarting a virtual machine that is part of a Microsoft Cluster Service (MSCS) cluster. If you have VMware vSphere High Availability enabled in your environment, the issue might affect many ESXi hosts, because vSphere HA tries to power on the virtual machine in other hosts.

This issue is resolved in this release.
PR 2683393: A vSAN host might fail with a purple diagnostic screen due to slab allocation issue
When a slab allocation failure is not handled properly in the RCRead path, a vSAN host might fail with a purple diagnostic screen. You see a warning such as: bora/modules/vmkernel/lsom/rc_io.c:2115 -- NOT REACHED.

This issue is resolved in this release.
PR 2678705: The VMXNET3 driver does not copy trailing bytes of TCP packets, such as Ethernet trailers, to guest virtual machines
The VMXNET3 driver copies and calculates the checksums from the payload indicated in the IP total length field. However, VMXNET3 does not copy any additional bytes after the payload that are not included in the length field and such bytes do not pass to guest virtual machines. For example, VMXNET3 does not copy and pass Ethernet trailers.

This issue is resolved in this release.
PR 2693303: Transient errors due to faulty vSAN device might cause latency and congestion
When a storage device in a vSAN disk group has a transient error due to read failures, Full Rebuild Avoidance (FRA) might not be able to repair the device. In such cases, FRA does not perform relog, which might lead to a log build up at PLOG, causing congestion and latency issues.

This issue is resolved in this release.
PR 2695382: Booting virtual machines with BIOS firmware from a network interface takes long
When you boot virtual machines with BIOS firmware from a network interface, interactions with the different servers in the environment might take long due to a networking issue. This issue does not impact network performance during guest OS runtime.

This issue is resolved in this release.
PR 2678639: If a physical port in a link aggregation group goes down or restarts, link aggregation might be temporarily unstable
If a physical port in a link aggregation group goes down or restarts, but at the same time an ESXi host sends out of sync LACP packet to the physical switch, the vmnic might also go down. This might cause link aggregation to be temporarily unstable.

This issue is resolved in this release.
PR 2679986: During vSphere vMotion operations to NFS datastores, virtual machines might become unresponsive for around 40 seconds
During vSphere vMotion operations to NFS datastores, the NFS disk-based lock files might not be deleted. As a result, virtual machines on the destination host become unresponsive for around 40 seconds.

This issue is resolved in this release. The fix ensures lock files are removed from disks during vSphere vMotion operations.
PR 2713569: You do not see vCenter Server alerts in the vSphere Client and the vSphere Web Client
If you use the /bin/services.sh restart command to restart vCenter Server management services, the vobd daemon, which is responsible for sending ESXi host events to vCenter Server, might not restart. As a result, you do not see alerts in the vSphere Client and the vSphere Web Client.

This issue is resolved in this release. The fix makes sure than the vobd daemon does not shut down when using the /bin/services.sh restart.
PR 2682261: If vSphere HA restarts or fails over, a virtual machine vNIC might disconnect from the network
In rare occasions, when vSphere HA restarts or fails over, a virtual machine on the vSphere HA cluster might lose connectivity with an error such as VMXNET3 user: failed to connect 'Ethernet0' to DV Port 'xx'.

This issue is resolved in this release.
PR 2652285: If a middlebox or a TCP proxy removes the timestamp option in the SYN-ACK phase, the TCP connection to an ESXi host fails
TCP uses a 3-step synchronize (SYN) and acknowledge (ACK) process to establish connections, SYN, SYN-ACK and ACK of the SYN-ACK. Options such as TCP timestamps are negotiated as part of this process. For traffic optimization reasons, middleboxes or TCP proxies might remove the timestamp option in the SYN-ACK phase. As a result, such TCP connections to ESXi hosts reset and close. A packet capture shows an RST packet from the server, immediately after the TCP handshake.

This issue is fixed in this release.
PR 2697898: An ESXi host might fail with a purple diagnostic screen due to invalid value in the heap memory
A rare condition when an uninitialized field in the heap memory returns an invalid value for a VMFS resource cluster number might cause subsequent searches for this cluster on the VMFS volume to fail. As a result, the ESXi host fails with a purple diagnostic screen.

This issue is resolved in this release.
PR 2681921: An ESXi host might fail with a purple diagnostic screen while disconnecting from a vSphere Distributed Switch
A rare race condition of LAG port read locks might cause an ESXi host might fail with a purple diagnostic screen while disconnecting from a VDS.

This issue is resolved in this release.
PR 2691872: IORETRY queue exhaustion might cause I/O failures
Issuance of read I/Os by the vSAN read cache in order to fill 1 MB read cache lines of a hybrid vSAN array from a highly fragmented write buffer, might result in IORETRY splitting of all 64 KB read I/Os issued by the read cache into 16 4 KB I/Os. This might cause IORETRY queue exhaustion.

This issue is resolved in this release. You can change the default value of LSOM maxQueudIos from 25,000 to 100,000 by using the following command for each non-witness vSAN host:
esxcfg-advcfg --set 100000 /LSOM/maxQueudIos
The new value takes effect when the in-memory instance of each vSAN disk group is re-established, by re-mounting the disk groups or by rebooting the host.
PR 2719154: If vSAN datastore contains many idle VMs, you might see performance degradation on active VMs
If a vSAN datastore contains many powered off or suspended VMs that are not receiving any I/Os, active VMs on the vSAN datastore might experience performance degradation due to increasing LSOM memory congestion in vSAN.

This issue is resolved in this release.
PR 2711959: A vSAN host might fail with a purple diagnostic screen due to an object in a bad state
In rare cases, if you commit an object on a disk group, but the object appears as not committed after the vSAN host with that disk group reboots, vSAN might incorrectly consider the object to be in bad state. As a result, the vSAN host might fail with a purple diagnostic screen with a message such as:
Object <uuid> corrupted. lastCWLSN = <number>, pendingLSN = <number> PanicvPanicInt@vmkernel#nover+0x439 Panic_vPanic@vmkernel#nover+0x23 vmk_PanicWithModuleID@vmkernel#nover+0x41 [email protected]#0.0.0.1+0x6b3 [email protected]#0.0.0.1+0xa5 [email protected]#0.0.0.1+0xce [email protected]#0.0.0.1+0x5e1 vmkWorldFunc@vmkernel#nover+0x4f CpuSched_StartWorld@vmkernel#nover+0x77

This issue is resolved in this release.
PR 2681786: After a power cycle, a powered on virtual machine might show as powered off
If you set a power cycle flag by using the vmx.reboot.powerCycle=TRUE advanced setting during a hardware upgrade of virtual machines, the hostd service might lose track of the VMs power state. After the VMs reboot, hostd might report powered on VMs as powered off.

This issue is resolved in this release. The fix makes sure hostd keeps track of the power state of virtual machines across reboots during upgrades with the vmx.reboot.powerCycle=TRUE setting. If you already face the issue, reload all powered off VMs.
To reload all powered off VMs, use this command:
Get-View -ViewType VirtualMachine -Property Runtime.PowerState -Filter @{ "Runtime.PowerState" = "poweredOff" }).reload()
If you want to filter the powered off VMs by cluster, use this command:
$ClusterName = "MyClusterName" ; (Get-View -ViewType VirtualMachine -Property Runtime.PowerState -Filter @{ "Runtime.PowerState" = "poweredOff" } -SearchRoot $(Get-View -ViewType "ClusterComputeResource" -Property Name -Filter @{"Name"="$ClusterName"}).MoRef).reload()
PR 2659768: An ESXi host might become unresponsive due to a lock during virtual machine disk consolidation operations
During virtual machine disk consolidation operations, such as snapshot disk consolidation, the hostd service might hold a lock for a long time. As a result, hostd delays responds to other tasks and state requests. Consequently, if the disk consolidation task takes too long, the ESXi host becomes unresponsive.

This issue is resolved in this release.
PR 2663643: Virtual machines lose network connectivity after migration operations by using vSphere vMotion
If the UUID of a virtual machine changes, such as after a migration by using vSphere vMotion, and the virtual machine has a vNIC on an NSX-T managed switch, the VM loses network connectivity. The vNIC cannot reconnect.

This issue is resolved in this release.

ESXi670-202103402-BG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_vmw-ahci_2.0.7-2vmw.670.3.143.17700523
PRs Fixed	2666166
CVE numbers	N/A

Updates the vmw-ahci VIB to resolve the following issue:

PR 2666166: ESXi hosts intermittently become unresponsive
One or more ESXi hosts might intermittently become unresponsive due to a race condition in the VMware AHCI SATA Storage Controller Driver. In the vmkernel.log file, you see a lot of messages such as:
…ahciAbortIO:(curr) HWQD: 0 BusyL: 0

This issue is resolved in this release.

ESXi670-202103403-BG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_vmkusb_0.1-1vmw.670.3.143.17700523
PRs Fixed	2688190
CVE numbers	N/A

Updates the vmkusb VIB to resolve the following issue:

PR 2688190: If the process control I/O of an USB device exceeds 1K, I/O traffic to virtual machines on an ESXi host might fail
The ESXi USB driver, vmkusb, might fail to process control I/O that exceeds 1K. As a result, some USB devices cause failures of I/O traffic to virtual machines on an ESXi host.

This issue is resolved in this release.

ESXi670-202103101-SG

Patch Category	Security
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_esx-update_6.7.0-3.139.17700514 VMware_bootbank_vsan_6.7.0-3.139.17598146 VMware_bootbank_vsanhealth_6.7.0-3.139.17598147 VMware_bootbank_esx-base_6.7.0-3.139.17700514
PRs Fixed	2704743
CVE numbers	N/A

Updates esx-base, esx-update, vsan, and vsanhealth VIB to resolve the following issues:

Update to the OpenSSH
The OpenSSH version is updated to 8.4p1.
Update to the Python library
The Python third-party library is updated to version 3.5.10.
Update to OpenSSL library
The ESXi userworld OpenSSL library is updated to version openssl-1.0.2x.

ESXi670-202103102-SG

Patch Category	Security
Patch Severity	Moderate
Host Reboot Required	No
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_locker_tools-light_11.2.5.17337674-17700514
PRs Fixed	2713501
CVE numbers	N/A

Updates the tools-light VIB.

The following VMware Tools ISO images are bundled with ESXi 670-202103001:
- windows.iso: VMware Tools 11.2.5 supports Windows 7 SP1 or Windows Server 2008 R2 SP1 and later.
- linux.iso: VMware Tools 10.3.23 ISO image for Linux OS with glibc 2.11 or later.
The following VMware Tools ISO images are available for download:
- VMware Tools 10.0.12:
  - winPreVista.iso: for Windows 2000, Windows XP, and Windows 2003.
  - linuxPreGLibc25.iso: for Linux OS with a glibc version less than 2.5.
- VMware Tools 11.0.6:
  - windows.iso: for Windows Vista (SP2) and Windows Server 2008 Service Pack 2 (SP2).
- solaris.iso: VMware Tools image 10.3.10 for Solaris.
- darwin.iso: Supports Mac OS X versions 10.11 and later.
Follow the procedures listed in the following documents to download VMware Tools for platforms not bundled with ESXi:

ESXi670-202103103-SG

Patch Category	Security
Patch Severity	Moderate
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_cpu-microcode_6.7.0-3.139.17700514
PRs Fixed	2673509
Related CVE numbers	N/A

This patch updates the cpu-microcode VIB.

The cpu-microcode VIB includes the following Intel microcode:

Code Name	FMS	Plt ID	MCU Rev	MCU Date	Brand Names
Nehalem EP	0x106a5	0x03	0x0000001d	5/11/2018	Intel Xeon 35xx Series; Intel Xeon 55xx Series
Lynnfield	0x106e5	0x13	0x0000000a	5/8/2018	Intel Xeon 34xx Lynnfield Series
Clarkdale	0x20652	0x12	0x00000011	5/8/2018	Intel i3/i5 Clarkdale Series; Intel Xeon 34xx Clarkdale Series
Arrandale	0x20655	0x92	0x00000007	4/23/2018	Intel Core i7-620LE Processor
Sandy Bridge DT	0x206a7	0x12	0x0000002f	2/17/2019	Intel Xeon E3-1100 Series; Intel Xeon E3-1200 Series; Intel i7-2655-LE Series; Intel i3-2100 Series
Westmere EP	0x206c2	0x03	0x0000001f	5/8/2018	Intel Xeon 56xx Series; Intel Xeon 36xx Series
Sandy Bridge EP	0x206d6	0x6d	0x00000621	3/4/2020	Intel Pentium 1400 Series; Intel Xeon E5-1400 Series; Intel Xeon E5-1600 Series; Intel Xeon E5-2400 Series; Intel Xeon E5-2600 Series; Intel Xeon E5-4600 Series
Sandy Bridge EP	0x206d7	0x6d	0x0000071a	3/24/2020	Intel Pentium 1400 Series; Intel Xeon E5-1400 Series; Intel Xeon E5-1600 Series; Intel Xeon E5-2400 Series; Intel Xeon E5-2600 Series; Intel Xeon E5-4600 Series
Nehalem EX	0x206e6	0x04	0x0000000d	5/15/2018	Intel Xeon 65xx Series; Intel Xeon 75xx Series
Westmere EX	0x206f2	0x05	0x0000003b	5/16/2018	Intel Xeon E7-8800 Series; Intel Xeon E7-4800 Series; Intel Xeon E7-2800 Series
Ivy Bridge DT	0x306a9	0x12	0x00000021	2/13/2019	Intel i3-3200 Series; Intel i7-3500-LE/UE; Intel i7-3600-QE; Intel Xeon E3-1200-v2 Series; Intel Xeon E3-1100-C-v2 Series; Intel Pentium B925C
Haswell DT	0x306c3	0x32	0x00000028	11/12/2019	Intel Xeon E3-1200-v3 Series; Intel i7-4700-EQ Series; Intel i5-4500-TE Series; Intel i3-4300 Series
Ivy Bridge EP	0x306e4	0xed	0x0000042e	3/14/2019	Intel Xeon E5-4600-v2 Series; Intel Xeon E5-2600-v2 Series; Intel Xeon E5-2400-v2 Series; Intel Xeon E5-1600-v2 Series; Intel Xeon E5-1400-v2 Series
Ivy Bridge EX	0x306e7	0xed	0x00000715	3/14/2019	Intel Xeon E7-8800/4800/2800-v2 Series
Haswell EP	0x306f2	0x6f	0x00000044	5/27/2020	Intel Xeon E5-4600-v3 Series; Intel Xeon E5-2600-v3 Series; Intel Xeon E5-2400-v3 Series; Intel Xeon E5-1600-v3 Series; Intel Xeon E5-1400-v3 Series
Haswell EX	0x306f4	0x80	0x00000016	6/17/2019	Intel Xeon E7-8800/4800-v3 Series
Broadwell H	0x40671	0x22	0x00000022	11/12/2019	Intel Core i7-5700EQ; Intel Xeon E3-1200-v4 Series
Avoton	0x406d8	0x01	0x0000012d	9/16/2019	Intel Atom C2300 Series; Intel Atom C2500 Series; Intel Atom C2700 Series
Broadwell EP/EX	0x406f1	0xef	0x0b000038	6/18/2019	Intel Xeon E7-8800/4800-v4 Series; Intel Xeon E5-4600-v4 Series; Intel Xeon E5-2600-v4 Series; Intel Xeon E5-1600-v4 Series
Skylake SP	0x50654	0xb7	0x02006a08	6/16/2020	Intel Xeon Platinum 8100 Series; Intel Xeon Gold 6100/5100, Silver 4100, Bronze 3100 Series; Intel Xeon D-2100 Series; Intel Xeon D-1600 Series; Intel Xeon W-3100 Series; Intel Xeon W-2100 Series
Cascade Lake B-0	0x50656	0xbf	0x04003003	6/18/2020	Intel Xeon Platinum 9200/8200 Series; Intel Xeon Gold 6200/5200; Intel Xeon Silver 4200/Bronze 3200; Intel Xeon W-3200
Cascade Lake	0x50657	0xbf	0x05003003	6/18/2020	Intel Xeon Platinum 9200/8200 Series; Intel Xeon Gold 6200/5200; Intel Xeon Silver 4200/Bronze 3200; Intel Xeon W-3200
Cooper Lake	0x5065b	0xbf	0x0700001f	9/17/2020	Intel Xeon Platinum 8300 Series; Intel Xeon Gold 6300/5300
Broadwell DE	0x50662	0x10	0x0000001c	6/17/2019	Intel Xeon D-1500 Series
Broadwell DE	0x50663	0x10	0x07000019	6/17/2019	Intel Xeon D-1500 Series
Broadwell DE	0x50664	0x10	0x0f000017	6/17/2019	Intel Xeon D-1500 Series
Broadwell NS	0x50665	0x10	0x0e00000f	6/17/2019	Intel Xeon D-1600 Series
Skylake H/S	0x506e3	0x36	0x000000e2	7/14/2020	Intel Xeon E3-1500-v5 Series; Intel Xeon E3-1200-v5 Series
Denverton	0x506f1	0x01	0x00000032	3/7/2020	Intel Atom C3000 Series
Snow Ridge	0x80665	0x01	0x0b000007	2/25/2020	Intel Atom P5000 Series
Kaby Lake H/S/X	0x906e9	0x2a	0x000000de	5/26/2020	Intel Xeon E3-1200-v6 Series; Intel Xeon E3-1500-v6 Series
Coffee Lake	0x906ea	0x22	0x000000de	5/25/2020	Intel Xeon E-2100 Series; Intel Xeon E-2200 Series (4 or 6 core)
Coffee Lake	0x906eb	0x02	0x000000de	5/25/2020	Intel Xeon E-2100 Series
Coffee Lake	0x906ec	0x22	0x000000de	6/3/2020	Intel Xeon E-2100 Series
Coffee Lake Refresh	0x906ed	0x22	0x000000de	5/24/2020	Intel Xeon E-2200 Series (8 core)

ESXi-6.7.0-20210304001-standard

Profile Name	ESXi-6.7.0-20210304001-standard
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	March 18, 2021
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_vsan_6.7.0-3.143.17661912 VMware_bootbank_esx-update_6.7.0-3.143.17700523 VMware_bootbank_esx-base_6.7.0-3.143.17700523 VMware_bootbank_vsanhealth_6.7.0-3.143.17665851 VMW_bootbank_vmw-ahci_2.0.7-2vmw.670.3.143.17700523 VMW_bootbank_vmkusb_0.1-1vmw.670.3.143.17700523 VMware_locker_tools-light_11.2.5.17337674-17700514 VMware_bootbank_cpu-microcode_6.7.0-3.139.17700514
PRs Fixed	2677275, 2664834, 2678794, 2681680, 2649392, 2680976, 2681253, 2701199, 2687411, 2664504, 2684836, 2687729, 2685806, 2683749, 2713397, 2706021, 2710158, 2669702, 2660017, 2685772, 2704741, 2645044, 2683393, 2678705, 2693303, 2695382, 2678639, 2679986, 2713569, 2682261, 2652285, 2697898, 2681921, 2691872, 2719154, 2711959, 2681786, 2659768, 2663643, 2666166, 2688190
Related CVE numbers	N/A

This patch updates the following issues:
- If the Xorg process fails to restart while an ESXi host exits maintenance mode, the hostd service might become unresponsive as it cannot complete the exit operation.
- After a brief storage outage, it is possible that upon recovery of the virtual machines, the disk layout is not refreshed and remains incomplete. As a result, you might see errors in your environment. For example, in the View Composer logs in a VMware Horizon environment, you might see a repeating error such as InvalidSnapshotDiskConfiguration.
- A missing NULL check in a vim.VirtualDiskManager.revertToChildDisk operation triggered by VMware vSphere Replication on virtual disks that do not support this operation might cause the hostd service to fail. As a result, the ESXi host loses connectivity to the vCenter Server system.
- If you disable RC4 from your Active Directory configuration, user authentication to ESXi hosts might start to fail with Failed to authenticate user errors.
- The DVFilter agent uses a common heap to allocate space for both its internal structures and buffers, as well as for the temporary allocations used for moving the state of client agents during vSphere vMotion operations.
  In some deployments and scenarios, the filter states can be very large in size and exhaust the heap during vSphere vMotion operations.
  In the vmkernel logs, you see an error such as Failed waiting for data. Error bad0014. Out of memory.
- If not all data required for the creation of a ContainerView managed object is available during the VM Object Management Infrastructure session, the hostd service might fail.
- Due to a rare race condition, when a container port tries to re-acquire a lock it already holds, an ESXi host might fail with a purple diagnostic screen while virtual machines with container ports power off. You see a backtrace such as:
  gdb) bt #0 LockCheckSelfDeadlockInt (lck=0x4301ad7d6094) at bora/vmkernel/core/lock.c:1820 #1 0x000041801a911dff in Lock_CheckSelfDeadlock (lck=0x4301ad7d6094) at bora/vmkernel/private/lock.h:598 #2 MCSLockRWContended (rwl=rwl@entry=0x4301ad7d6080, writer=writer@entry=1 '\001', downgrade=downgrade@entry=0 '\000', flags=flags@entry=MCS_ALWAYS_LOCK) at bora/vmkernel/main/mcslock.c:2078 #3 0x000041801a9124fd in MCS_DoAcqWriteLockWithRA (rwl=rwl@entry=0x4301ad7d6080, try=try@entry=0 '\000', flags=flags@entry=MCS_ALWAYS_LOCK, ra=) at bora/vmkernel/main/mcslock.c:2541 #4 0x000041801a90ee41 in MCS_AcqWriteLockWithFlags (ra=, flags=MCS_ALWAYS_LOCK, rwl=0x4301ad7d6080) at bora/vmkernel/private/mcslock.h:1246 #5 RefCountBlockSpin (ra=0x41801aa753ca, refCounter=0x4301ad7d6070) at bora/vmkernel/main/refCount.c:565 #6 RefCountBlock (refCounter=0x4301ad7d6070, ra=ra@entry=0x41801aa753ca) at bora/vmkernel/main/refCount.c:646 #7 0x000041801aa3c0a8 in RefCount_BlockWithRA (ra=0x41801aa753ca, refCounter=) at bora/vmkernel/private/refCount.h:793 #8 Portset_LockExclWithRA (ra=0x41801aa753ca, ps=0x4305d081c010) at bora/vmkernel/net/portset.h:763 #9 Portset_GetPortExcl (portID=1329) at bora/vmkernel/net/portset.c:3254 #10 0x000041801aa753ca in Net_WorldCleanup (initFnArgs=) at bora/vmkernel/net/vmkernel_exports.c:1605 #11 0x000041801a8ee8bb in InitTable_Cleanup (steps=steps@entry=0x41801acaa640, numSteps=numSteps@entry=35, clientData=clientData@entry=0x451a86f9bf28) at bora/vmkernel/main/initTable.c:381 #12 0x000041801a940912 in WorldCleanup (world=) at bora/vmkernel/main/world.c:1522 #13 World_TryReap (worldID=) at bora/vmkernel/main/world.c:6113 #14 0x000041801a90e133 in ReaperWorkerWorld (data=) at bora/vmkernel/main/reaper.c:425 #15 0x000041801ab107db in CpuSched_StartWorld (destWorld=, previous=) at bora/vmkernel/sched/cpusched.c:11957 #16 0x0000000000000000 in ?? ()
- During an NFS server failover, the client reclaims all open files. In rare cases, the reclaim operation fails and virtual machines power off, because the NFS server rejects failed requests.
- You might not see NFS datastores using a fault tolerance solution by Nutanix mounted in a vCenter Server system after an ESXi host reboots. However, you can see the volumes in the ESXi host.
- vSAN hosts running in a non-preemptible context might tax the CPU when freeing up 256Gb or more of memory in the cache buffer. The host might fail with a purple diagnostic screen.
- In some configurations, if you use block sizes higher than the supported max transfer length of the storage device, you might see a drop in the I/O bandwidth. The issue occurs due to buffer allocations in the I/O split layer in the storage stack that cause a lock contention.
- If a high priority task holds a physical CPU for a long time, I/O traffic might stop and eventually cause the ESXi host to fail with a purple diagnostic screen. In the backtrace, you see a message such as WARNING: PLOG: PLOGStuckIOCB:7729: Stuck IOs detected on vSAN device:xxx.
- If you have set up a virtual flash resource by using the Virtual Flash File System (VFFS), booting an ESXi hosts with a large number of VMFS datastores might take long. The delay is due to the process of comparing file types, VFFS and VMFS.
- In rare cases, virtual machines with a virtual network device might randomly become unresponsive and you need to shut them down. Attempts to generate a coredump for diagnostic reasons fail.
- Boot time is recalculated on every start of the hostd service. The VMkernel only provides the uptime of the ESXi host. Timers do not move synchronously and as a result, on hostd restart, the boot time might change, back or forth.
- When vSAN reports that the required capacity is less than the available capacity, the corresponding log message might be misleading. The values reported for Required space and Available space might be incorrect.
- You must manually add the claim rules to an ESXi host for FUJITSU ETERNUS AB/HB Series storage arrays.
- A vSAN host might fail with a purple diagnostic screen due to a Use-After-Free (UAF) error in the LSOM/VSAN slab. You can observe the issue in the following stack:
  cpu11:2100603)0x451c5f09bd68:[0x418027d285d2]vmk_SlabAlloc@vmkernel#nover+0x2e stack: 0x418028f981ba, 0x0, 0x431d231dbae0, 0x451c5f09bde8, 0x459c836cb960 cpu11:2100603)0x451c5f09bd70:[0x418028f5e28c][email protected]#0.0.0.1+0xd stack: 0x0, 0x431d231dbae0, 0x451c5f09bde8, 0x459c836cb960, 0x431d231f7c98 cpu11:2100603)0x451c5f09bd80:[0x418028f981b9]LSOM_Alloc@LSOMCommon#1+0xaa stack: 0x451c5f09bde8, 0x459c836cb960, 0x431d231f7c98, 0x418028f57eb3, 0x431d231dbae0 cpu11:2100603)0x451c5f09bdb0:[0x418028f57eb2][email protected]#0.0.0.1+0x5f stack: 0x1, 0x459c836cb960, 0x418029164388, 0x41802903c607, 0xffffffffffffffff cpu11:2100603)0x451c5f09bde0:[0x41802903c606][email protected]#0.0.0.1+0x87 stack: 0x459c836cb740, 0x0, 0x43218d3b7c00, 0x43036e815070, 0x451c5f0a3000 cpu11:2100603)0x451c5f09be20:[0x418029165075][email protected]#0.0.0.1+0xfa stack: 0x0, 0x418027d15483, 0x451bc0580000, 0x418027d1c57a, 0x26f5abad8d0ac0 cpu11:2100603)0x451c5f09bf30:[0x418027ceaf52]HelperQueueFunc@vmkernel#nover+0x30f stack: 0x431d231ba618, 0x431d231ba608, 0x431d231ba640, 0x451c5f0a3000, 0x431d231ba618 cpu11:2100603)0x451c5f09bfe0:[0x418027f0eaa2]CpuSched_StartWorld@vmkernel#nover+0x77 stack: 0x0, 0x0, 0x0, 0x0, 0x0
- In the vSphere Client, you see hardware health warning with status Unknown for some sensors on ESXi hosts.
- Due to internal memory leaks, the memory usage of the wsman service on some servers might increase beyond the max limit of 23 MB. As a result, the service stops accepting incoming requests until restarted. The issue affects Dell and Lenovo servers.
- In some environments, the vSphere Storage Appliance (VSA) plug-in, also known as Security Virtual Appliance (SVA), might cause the hostd service to become intermittently unresponsive during the creation of a TCP connection. In addition, virtual machine snapshots might time out. VSA is not supported since 2014.
- In rare cases, an unlocked spinlock might cause an ESXi host to fail with a purple diagnostic screen when restarting a virtual machine that is part of a Microsoft Cluster Service (MSCS) cluster. If you have VMware vSphere High Availability enabled in your environment, the issue might affect many ESXi hosts, because vSphere HA tries to power on the virtual machine in other hosts.
- When a slab allocation failure is not handled properly in the RCRead path, a vSAN host might fail with a purple diagnostic screen. You see a warning such as: bora/modules/vmkernel/lsom/rc_io.c:2115 -- NOT REACHED.
- The VMXNET3 driver copies and calculates the checksums from the payload indicated in the IP total length field. However, VMXNET3 does not copy any additional bytes after the payload that are not included in the length field and such bytes do not pass to guest virtual machines. For example, VMXNET3 does not copy and pass Ethernet trailers.
- When a storage device in a vSAN disk group has a transient error due to read failures, Full Rebuild Avoidance (FRA) might not be able to repair the device. In such cases, FRA does not perform relog, which might lead to a log build up at PLOG, causing congestion and latency issues.
- When you boot virtual machines with BIOS firmware from a network interface, interactions with the different servers in the environment might take long due to a networking issue. This issue does not impact network performance during guest OS runtime.
- If a physical port in a link aggregation group goes down or restarts, but at the same time an ESXi host sends out of sync LACP packet to the physical switch, the vmnic might also go down. This might cause link aggregation to be temporarily unstable.
- During vSphere vMotion operations to NFS datastores, the NFS disk-based lock files might not be deleted. As a result, virtual machines on the destination host become unresponsive for around 40 seconds.
- If you use the /bin/services.sh restart command to restart vCenter Server management services, the vobd daemon, which is responsible for sending ESXi host events to vCenter Server, might not restart. As a result, you do not see alerts in the vSphere Client and the vSphere Web Client.
- In rare occasions, when vSphere HA restarts or fails over, a virtual machine on the vSphere HA cluster might lose connectivity with an error such as VMXNET3 user: failed to connect 'Ethernet0' to DV Port 'xx'.
- TCP uses a 3-step synchronize (SYN) and acknowledge (ACK) process to establish connections, SYN, SYN-ACK and ACK of the SYN-ACK. Options such as TCP timestamps are negotiated as part of this process. For traffic optimization reasons, middleboxes or TCP proxies might remove the timestamp option in the SYN-ACK phase. As a result, such TCP connections to ESXi hosts reset and close. A packet capture shows an RST packet from the server, immediately after the TCP handshake.
- A rare condition when an uninitialized field in the heap memory returns an invalid value for a VMFS resource cluster number might cause subsequent searches for this cluster on the VMFS volume to fail. As a result, the ESXi host fails with a purple diagnostic screen.
- A rare race condition of LAG port read locks might cause an ESXi host might fail with a purple diagnostic screen while disconnecting from a VDS.
- Issuance of read I/Os by the vSAN read cache in order to fill 1 MB read cache lines of a hybrid vSAN array from a highly fragmented write buffer, might result in IORETRY splitting of all 64 KB read I/Os issued by the read cache into 16 4 KB I/Os. This might cause IORETRY queue exhaustion.
- If a vSAN datastore contains many powered off or suspended VMs that are not receiving any I/Os, active VMs on the vSAN datastore might experience performance degradation due to increasing LSOM memory congestion in vSAN.
- In rare cases, if you commit an object on a disk group, but the object appears as not committed after the vSAN host with that disk group reboots, vSAN might incorrectly consider the object to be in bad state. As a result, the vSAN host might fail with a purple diagnostic screen with a message such as:
  Object <uuid> corrupted. lastCWLSN = <number>, pendingLSN = <number> PanicvPanicInt@vmkernel#nover+0x439 Panic_vPanic@vmkernel#nover+0x23 vmk_PanicWithModuleID@vmkernel#nover+0x41 [email protected]#0.0.0.1+0x6b3 [email protected]#0.0.0.1+0xa5 [email protected]#0.0.0.1+0xce [email protected]#0.0.0.1+0x5e1 vmkWorldFunc@vmkernel#nover+0x4f CpuSched_StartWorld@vmkernel#nover+0x77
- If you set a power cycle flag by using the vmx.reboot.powerCycle=TRUE advanced setting during a hardware upgrade of virtual machines, the hostd service might lose track of the VMs power state. After the VMs reboot, hostd might report powered on VMs as powered off.
- During virtual machine disk consolidation operations, such as snapshot disk consolidation, the hostd service might hold a lock for a long time. As a result, hostd delays responds to other tasks and state requests. Consequently, if the disk consolidation task takes too long, the ESXi host becomes unresponsive.
- If the UUID of a virtual machine changes, such as after a migration by using vSphere vMotion, and the virtual machine has a vNIC on an NSX-T managed switch, the VM loses network connectivity. The vNIC cannot reconnect.
  One or more ESXi hosts might intermittently become unresponsive due to a race condition in the VMware AHCI SATA Storage Controller Driver. In the vmkernel.log file, you see a lot of messages such as:
  …ahciAbortIO:(curr) HWQD: 0 BusyL: 0
- The ESXi USB driver, vmkusb, might fail to process control I/O that exceeds 1K. As a result, some USB devices cause failures of I/O traffic to virtual machines on an ESXi host.

ESXi-6.7.0-20210304001-no-tools

Profile Name	ESXi-6.7.0-20210304001-no-tools
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	March 18, 2021
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_vsan_6.7.0-3.143.17661912 VMware_bootbank_esx-update_6.7.0-3.143.17700523 VMware_bootbank_esx-base_6.7.0-3.143.17700523 VMware_bootbank_vsanhealth_6.7.0-3.143.17665851 VMW_bootbank_vmw-ahci_2.0.7-2vmw.670.3.143.17700523 VMW_bootbank_vmkusb_0.1-1vmw.670.3.143.17700523 VMware_bootbank_cpu-microcode_6.7.0-3.139.17700514
PRs Fixed	2677275, 2664834, 2678794, 2681680, 2649392, 2680976, 2681253, 2701199, 2687411, 2664504, 2684836, 2687729, 2685806, 2683749, 2713397, 2706021, 2710158, 2669702, 2660017, 2685772, 2704741, 2645044, 2683393, 2678705, 2693303, 2695382, 2678639, 2679986, 2713569, 2682261, 2652285, 2697898, 2681921, 2691872, 2719154, 2711959, 2681786, 2659768, 2663643, 2666166, 2688190
Related CVE numbers	N/A

This patch updates the following issues:
- If the Xorg process fails to restart while an ESXi host exits maintenance mode, the hostd service might become unresponsive as it cannot complete the exit operation.
- After a brief storage outage, it is possible that upon recovery of the virtual machines, the disk layout is not refreshed and remains incomplete. As a result, you might see errors in your environment. For example, in the View Composer logs in a VMware Horizon environment, you might see a repeating error such as InvalidSnapshotDiskConfiguration.
- A missing NULL check in a vim.VirtualDiskManager.revertToChildDisk operation triggered by VMware vSphere Replication on virtual disks that do not support this operation might cause the hostd service to fail. As a result, the ESXi host loses connectivity to the vCenter Server system.
- If you disable RC4 from your Active Directory configuration, user authentication to ESXi hosts might start to fail with Failed to authenticate user errors.
- The DVFilter agent uses a common heap to allocate space for both its internal structures and buffers, as well as for the temporary allocations used for moving the state of client agents during vSphere vMotion operations.
  In some deployments and scenarios, the filter states can be very large in size and exhaust the heap during vSphere vMotion operations.
  In the vmkernel logs, you see an error such as Failed waiting for data. Error bad0014. Out of memory.
- If not all data required for the creation of a ContainerView managed object is available during the VM Object Management Infrastructure session, the hostd service might fail.
- Due to a rare race condition, when a container port tries to re-acquire a lock it already holds, an ESXi host might fail with a purple diagnostic screen while virtual machines with container ports power off. You see a backtrace such as:
  gdb) bt #0 LockCheckSelfDeadlockInt (lck=0x4301ad7d6094) at bora/vmkernel/core/lock.c:1820 #1 0x000041801a911dff in Lock_CheckSelfDeadlock (lck=0x4301ad7d6094) at bora/vmkernel/private/lock.h:598 #2 MCSLockRWContended (rwl=rwl@entry=0x4301ad7d6080, writer=writer@entry=1 '\001', downgrade=downgrade@entry=0 '\000', flags=flags@entry=MCS_ALWAYS_LOCK) at bora/vmkernel/main/mcslock.c:2078 #3 0x000041801a9124fd in MCS_DoAcqWriteLockWithRA (rwl=rwl@entry=0x4301ad7d6080, try=try@entry=0 '\000', flags=flags@entry=MCS_ALWAYS_LOCK, ra=) at bora/vmkernel/main/mcslock.c:2541 #4 0x000041801a90ee41 in MCS_AcqWriteLockWithFlags (ra=, flags=MCS_ALWAYS_LOCK, rwl=0x4301ad7d6080) at bora/vmkernel/private/mcslock.h:1246 #5 RefCountBlockSpin (ra=0x41801aa753ca, refCounter=0x4301ad7d6070) at bora/vmkernel/main/refCount.c:565 #6 RefCountBlock (refCounter=0x4301ad7d6070, ra=ra@entry=0x41801aa753ca) at bora/vmkernel/main/refCount.c:646 #7 0x000041801aa3c0a8 in RefCount_BlockWithRA (ra=0x41801aa753ca, refCounter=) at bora/vmkernel/private/refCount.h:793 #8 Portset_LockExclWithRA (ra=0x41801aa753ca, ps=0x4305d081c010) at bora/vmkernel/net/portset.h:763 #9 Portset_GetPortExcl (portID=1329) at bora/vmkernel/net/portset.c:3254 #10 0x000041801aa753ca in Net_WorldCleanup (initFnArgs=) at bora/vmkernel/net/vmkernel_exports.c:1605 #11 0x000041801a8ee8bb in InitTable_Cleanup (steps=steps@entry=0x41801acaa640, numSteps=numSteps@entry=35, clientData=clientData@entry=0x451a86f9bf28) at bora/vmkernel/main/initTable.c:381 #12 0x000041801a940912 in WorldCleanup (world=) at bora/vmkernel/main/world.c:1522 #13 World_TryReap (worldID=) at bora/vmkernel/main/world.c:6113 #14 0x000041801a90e133 in ReaperWorkerWorld (data=) at bora/vmkernel/main/reaper.c:425 #15 0x000041801ab107db in CpuSched_StartWorld (destWorld=, previous=) at bora/vmkernel/sched/cpusched.c:11957 #16 0x0000000000000000 in ?? ()
- During an NFS server failover, the client reclaims all open files. In rare cases, the reclaim operation fails and virtual machines power off, because the NFS server rejects failed requests.
- You might not see NFS datastores using a fault tolerance solution by Nutanix mounted in a vCenter Server system after an ESXi host reboots. However, you can see the volumes in the ESXi host.
- vSAN hosts running in a non-preemptible context might tax the CPU when freeing up 256Gb or more of memory in the cache buffer. The host might fail with a purple diagnostic screen.
- In some configurations, if you use block sizes higher than the supported max transfer length of the storage device, you might see a drop in the I/O bandwidth. The issue occurs due to buffer allocations in the I/O split layer in the storage stack that cause a lock contention.
- If a high priority task holds a physical CPU for a long time, I/O traffic might stop and eventually cause the ESXi host to fail with a purple diagnostic screen. In the backtrace, you see a message such as WARNING: PLOG: PLOGStuckIOCB:7729: Stuck IOs detected on vSAN device:xxx.
- If you have set up a virtual flash resource by using the Virtual Flash File System (VFFS), booting an ESXi hosts with a large number of VMFS datastores might take long. The delay is due to the process of comparing file types, VFFS and VMFS.
- In rare cases, virtual machines with a virtual network device might randomly become unresponsive and you need to shut them down. Attempts to generate a coredump for diagnostic reasons fail.
- Boot time is recalculated on every start of the hostd service. The VMkernel only provides the uptime of the ESXi host. Timers do not move synchronously and as a result, on hostd restart, the boot time might change, back or forth.
- When vSAN reports that the required capacity is less than the available capacity, the corresponding log message might be misleading. The values reported for Required space and Available space might be incorrect.
- You must manually add the claim rules to an ESXi host for FUJITSU ETERNUS AB/HB Series storage arrays.
- A vSAN host might fail with a purple diagnostic screen due to a Use-After-Free (UAF) error in the LSOM/VSAN slab. You can observe the issue in the following stack:
  cpu11:2100603)0x451c5f09bd68:[0x418027d285d2]vmk_SlabAlloc@vmkernel#nover+0x2e stack: 0x418028f981ba, 0x0, 0x431d231dbae0, 0x451c5f09bde8, 0x459c836cb960 cpu11:2100603)0x451c5f09bd70:[0x418028f5e28c][email protected]#0.0.0.1+0xd stack: 0x0, 0x431d231dbae0, 0x451c5f09bde8, 0x459c836cb960, 0x431d231f7c98 cpu11:2100603)0x451c5f09bd80:[0x418028f981b9]LSOM_Alloc@LSOMCommon#1+0xaa stack: 0x451c5f09bde8, 0x459c836cb960, 0x431d231f7c98, 0x418028f57eb3, 0x431d231dbae0 cpu11:2100603)0x451c5f09bdb0:[0x418028f57eb2][email protected]#0.0.0.1+0x5f stack: 0x1, 0x459c836cb960, 0x418029164388, 0x41802903c607, 0xffffffffffffffff cpu11:2100603)0x451c5f09bde0:[0x41802903c606][email protected]#0.0.0.1+0x87 stack: 0x459c836cb740, 0x0, 0x43218d3b7c00, 0x43036e815070, 0x451c5f0a3000 cpu11:2100603)0x451c5f09be20:[0x418029165075][email protected]#0.0.0.1+0xfa stack: 0x0, 0x418027d15483, 0x451bc0580000, 0x418027d1c57a, 0x26f5abad8d0ac0 cpu11:2100603)0x451c5f09bf30:[0x418027ceaf52]HelperQueueFunc@vmkernel#nover+0x30f stack: 0x431d231ba618, 0x431d231ba608, 0x431d231ba640, 0x451c5f0a3000, 0x431d231ba618 cpu11:2100603)0x451c5f09bfe0:[0x418027f0eaa2]CpuSched_StartWorld@vmkernel#nover+0x77 stack: 0x0, 0x0, 0x0, 0x0, 0x0
- In the vSphere Client, you see hardware health warning with status Unknown for some sensors on ESXi hosts.
- Due to internal memory leaks, the memory usage of the wsman service on some servers might increase beyond the max limit of 23 MB. As a result, the service stops accepting incoming requests until restarted. The issue affects Dell and Lenovo servers.
- In some environments, the vSphere Storage Appliance (VSA) plug-in, also known as Security Virtual Appliance (SVA), might cause the hostd service to become intermittently unresponsive during the creation of a TCP connection. In addition, virtual machine snapshots might time out. VSA is not supported since 2014.
- In rare cases, an unlocked spinlock might cause an ESXi host to fail with a purple diagnostic screen when restarting a virtual machine that is part of a Microsoft Cluster Service (MSCS) cluster. If you have VMware vSphere High Availability enabled in your environment, the issue might affect many ESXi hosts, because vSphere HA tries to power on the virtual machine in other hosts.
- When a slab allocation failure is not handled properly in the RCRead path, a vSAN host might fail with a purple diagnostic screen. You see a warning such as: bora/modules/vmkernel/lsom/rc_io.c:2115 -- NOT REACHED.
- The VMXNET3 driver copies and calculates the checksums from the payload indicated in the IP total length field. However, VMXNET3 does not copy any additional bytes after the payload that are not included in the length field and such bytes do not pass to guest virtual machines. For example, VMXNET3 does not copy and pass Ethernet trailers.
- When a storage device in a vSAN disk group has a transient error due to read failures, Full Rebuild Avoidance (FRA) might not be able to repair the device. In such cases, FRA does not perform relog, which might lead to a log build up at PLOG, causing congestion and latency issues.
- When you boot virtual machines with BIOS firmware from a network interface, interactions with the different servers in the environment might take long due to a networking issue. This issue does not impact network performance during guest OS runtime.
- If a physical port in a link aggregation group goes down or restarts, but at the same time an ESXi host sends out of sync LACP packet to the physical switch, the vmnic might also go down. This might cause link aggregation to be temporarily unstable.
- During vSphere vMotion operations to NFS datastores, the NFS disk-based lock files might not be deleted. As a result, virtual machines on the destination host become unresponsive for around 40 seconds.
- If you use the /bin/services.sh restart command to restart vCenter Server management services, the vobd daemon, which is responsible for sending ESXi host events to vCenter Server, might not restart. As a result, you do not see alerts in the vSphere Client and the vSphere Web Client.
- In rare occasions, when vSphere HA restarts or fails over, a virtual machine on the vSphere HA cluster might lose connectivity with an error such as VMXNET3 user: failed to connect 'Ethernet0' to DV Port 'xx'.
- TCP uses a 3-step synchronize (SYN) and acknowledge (ACK) process to establish connections, SYN, SYN-ACK and ACK of the SYN-ACK. Options such as TCP timestamps are negotiated as part of this process. For traffic optimization reasons, middleboxes or TCP proxies might remove the timestamp option in the SYN-ACK phase. As a result, such TCP connections to ESXi hosts reset and close. A packet capture shows an RST packet from the server, immediately after the TCP handshake.
- A rare condition when an uninitialized field in the heap memory returns an invalid value for a VMFS resource cluster number might cause subsequent searches for this cluster on the VMFS volume to fail. As a result, the ESXi host fails with a purple diagnostic screen.
- A rare race condition of LAG port read locks might cause an ESXi host might fail with a purple diagnostic screen while disconnecting from a VDS.
- Issuance of read I/Os by the vSAN read cache in order to fill 1 MB read cache lines of a hybrid vSAN array from a highly fragmented write buffer, might result in IORETRY splitting of all 64 KB read I/Os issued by the read cache into 16 4 KB I/Os. This might cause IORETRY queue exhaustion.
- If a vSAN datastore contains many powered off or suspended VMs that are not receiving any I/Os, active VMs on the vSAN datastore might experience performance degradation due to increasing LSOM memory congestion in vSAN.
- In rare cases, if you commit an object on a disk group, but the object appears as not committed after the vSAN host with that disk group reboots, vSAN might incorrectly consider the object to be in bad state. As a result, the vSAN host might fail with a purple diagnostic screen with a message such as:
  Object <uuid> corrupted. lastCWLSN = <number>, pendingLSN = <number> PanicvPanicInt@vmkernel#nover+0x439 Panic_vPanic@vmkernel#nover+0x23 vmk_PanicWithModuleID@vmkernel#nover+0x41 [email protected]#0.0.0.1+0x6b3 [email protected]#0.0.0.1+0xa5 [email protected]#0.0.0.1+0xce [email protected]#0.0.0.1+0x5e1 vmkWorldFunc@vmkernel#nover+0x4f CpuSched_StartWorld@vmkernel#nover+0x77
- If you set a power cycle flag by using the vmx.reboot.powerCycle=TRUE advanced setting during a hardware upgrade of virtual machines, the hostd service might lose track of the VMs power state. After the VMs reboot, hostd might report powered on VMs as powered off.
- During virtual machine disk consolidation operations, such as snapshot disk consolidation, the hostd service might hold a lock for a long time. As a result, hostd delays responds to other tasks and state requests. Consequently, if the disk consolidation task takes too long, the ESXi host becomes unresponsive.
- If the UUID of a virtual machine changes, such as after a migration by using vSphere vMotion, and the virtual machine has a vNIC on an NSX-T managed switch, the VM loses network connectivity. The vNIC cannot reconnect.
  One or more ESXi hosts might intermittently become unresponsive due to a race condition in the VMware AHCI SATA Storage Controller Driver. In the vmkernel.log file, you see a lot of messages such as:
  …ahciAbortIO:(curr) HWQD: 0 BusyL: 0
- The ESXi USB driver, vmkusb, might fail to process control I/O that exceeds 1K. As a result, some USB devices cause failures of I/O traffic to virtual machines on an ESXi host.

ESXi-6.7.0-20210301001s-standard

Profile Name	ESXi-6.7.0-20210301001s-standard
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	March 18, 2021
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_esx-update_6.7.0-3.139.17700514 VMware_bootbank_vsan_6.7.0-3.139.17598146 VMware_bootbank_vsanhealth_6.7.0-3.139.17598147 VMware_bootbank_esx-base_6.7.0-3.139.17700514 VMware_locker_tools-light_11.2.5.17337674-17700514 VMware_bootbank_cpu-microcode_6.7.0-3.139.17700514
PRs Fixed	2704743, 2713501, 2673509
Related CVE numbers	N/A

This patch updates the following issues:

The OpenSSH version is updated to 8.4p1.
The Python third-party library is updated to version 3.5.10.
The ESXi userworld OpenSSL library is updated to version openssl-1.0.2x.
The following VMware Tools ISO images are bundled with ESXi 670-202103001:
- windows.iso: VMware Tools 11.2.5 supports Windows 7 SP1 or Windows Server 2008 R2 SP1 and later.
- linux.iso: VMware Tools 10.3.23 ISO image for Linux OS with glibc 2.11 or later.
- The following VMware Tools ISO images are available for download:
- VMware Tools 10.0.12:
  - winPreVista.iso: for Windows 2000, Windows XP, and Windows 2003.
  - linuxPreGLibc25.iso: for Linux OS with a glibc version less than 2.5.
- VMware Tools 11.0.6:
  - windows.iso: for Windows Vista (SP2) and Windows Server 2008 Service Pack 2 (SP2).
- solaris.iso: VMware Tools image 10.3.10 for Solaris.
- darwin.iso: Supports Mac OS X versions 10.11 and later.
- Follow the procedures listed in the following documents to download VMware Tools for platforms not bundled with ESXi:
- VMware Tools 11.2.5 Release Notes
- Earlier versions of VMware Tools
- What Every vSphere Admin Must Know About VMware Tools
- VMware Tools for hosts provisioned with Auto Deploy
- Updating VMware Tools

Code Name	FMS	Plt ID	MCU Rev	MCU Date	Brand Names
Nehalem EP	0x106a5	0x03	0x0000001d	5/11/2018	Intel Xeon 35xx Series; Intel Xeon 55xx Series
Lynnfield	0x106e5	0x13	0x0000000a	5/8/2018	Intel Xeon 34xx Lynnfield Series
Clarkdale	0x20652	0x12	0x00000011	5/8/2018	Intel i3/i5 Clarkdale Series; Intel Xeon 34xx Clarkdale Series
Arrandale	0x20655	0x92	0x00000007	4/23/2018	Intel Core i7-620LE Processor
Sandy Bridge DT	0x206a7	0x12	0x0000002f	2/17/2019	Intel Xeon E3-1100 Series; Intel Xeon E3-1200 Series; Intel i7-2655-LE Series; Intel i3-2100 Series
Westmere EP	0x206c2	0x03	0x0000001f	5/8/2018	Intel Xeon 56xx Series; Intel Xeon 36xx Series
Sandy Bridge EP	0x206d6	0x6d	0x00000621	3/4/2020	Intel Pentium 1400 Series; Intel Xeon E5-1400 Series; Intel Xeon E5-1600 Series; Intel Xeon E5-2400 Series; Intel Xeon E5-2600 Series; Intel Xeon E5-4600 Series
Sandy Bridge EP	0x206d7	0x6d	0x0000071a	3/24/2020	Intel Pentium 1400 Series; Intel Xeon E5-1400 Series; Intel Xeon E5-1600 Series; Intel Xeon E5-2400 Series; Intel Xeon E5-2600 Series; Intel Xeon E5-4600 Series
Nehalem EX	0x206e6	0x04	0x0000000d	5/15/2018	Intel Xeon 65xx Series; Intel Xeon 75xx Series
Westmere EX	0x206f2	0x05	0x0000003b	5/16/2018	Intel Xeon E7-8800 Series; Intel Xeon E7-4800 Series; Intel Xeon E7-2800 Series
Ivy Bridge DT	0x306a9	0x12	0x00000021	2/13/2019	Intel i3-3200 Series; Intel i7-3500-LE/UE; Intel i7-3600-QE; Intel Xeon E3-1200-v2 Series; Intel Xeon E3-1100-C-v2 Series; Intel Pentium B925C
Haswell DT	0x306c3	0x32	0x00000028	11/12/2019	Intel Xeon E3-1200-v3 Series; Intel i7-4700-EQ Series; Intel i5-4500-TE Series; Intel i3-4300 Series
Ivy Bridge EP	0x306e4	0xed	0x0000042e	3/14/2019	Intel Xeon E5-4600-v2 Series; Intel Xeon E5-2600-v2 Series; Intel Xeon E5-2400-v2 Series; Intel Xeon E5-1600-v2 Series; Intel Xeon E5-1400-v2 Series
Ivy Bridge EX	0x306e7	0xed	0x00000715	3/14/2019	Intel Xeon E7-8800/4800/2800-v2 Series
Haswell EP	0x306f2	0x6f	0x00000044	5/27/2020	Intel Xeon E5-4600-v3 Series; Intel Xeon E5-2600-v3 Series; Intel Xeon E5-2400-v3 Series; Intel Xeon E5-1600-v3 Series; Intel Xeon E5-1400-v3 Series
Haswell EX	0x306f4	0x80	0x00000016	6/17/2019	Intel Xeon E7-8800/4800-v3 Series
Broadwell H	0x40671	0x22	0x00000022	11/12/2019	Intel Core i7-5700EQ; Intel Xeon E3-1200-v4 Series
Avoton	0x406d8	0x01	0x0000012d	9/16/2019	Intel Atom C2300 Series; Intel Atom C2500 Series; Intel Atom C2700 Series
Broadwell EP/EX	0x406f1	0xef	0x0b000038	6/18/2019	Intel Xeon E7-8800/4800-v4 Series; Intel Xeon E5-4600-v4 Series; Intel Xeon E5-2600-v4 Series; Intel Xeon E5-1600-v4 Series
Skylake SP	0x50654	0xb7	0x02006a08	6/16/2020	Intel Xeon Platinum 8100 Series; Intel Xeon Gold 6100/5100, Silver 4100, Bronze 3100 Series; Intel Xeon D-2100 Series; Intel Xeon D-1600 Series; Intel Xeon W-3100 Series; Intel Xeon W-2100 Series
Cascade Lake B-0	0x50656	0xbf	0x04003003	6/18/2020	Intel Xeon Platinum 9200/8200 Series; Intel Xeon Gold 6200/5200; Intel Xeon Silver 4200/Bronze 3200; Intel Xeon W-3200
Cascade Lake	0x50657	0xbf	0x05003003	6/18/2020	Intel Xeon Platinum 9200/8200 Series; Intel Xeon Gold 6200/5200; Intel Xeon Silver 4200/Bronze 3200; Intel Xeon W-3200
Cooper Lake	0x5065b	0xbf	0x0700001f	9/17/2020	Intel Xeon Platinum 8300 Series; Intel Xeon Gold 6300/5300
Broadwell DE	0x50662	0x10	0x0000001c	6/17/2019	Intel Xeon D-1500 Series
Broadwell DE	0x50663	0x10	0x07000019	6/17/2019	Intel Xeon D-1500 Series
Broadwell DE	0x50664	0x10	0x0f000017	6/17/2019	Intel Xeon D-1500 Series
Broadwell NS	0x50665	0x10	0x0e00000f	6/17/2019	Intel Xeon D-1600 Series
Skylake H/S	0x506e3	0x36	0x000000e2	7/14/2020	Intel Xeon E3-1500-v5 Series; Intel Xeon E3-1200-v5 Series
Denverton	0x506f1	0x01	0x00000032	3/7/2020	Intel Atom C3000 Series
Snow Ridge	0x80665	0x01	0x0b000007	2/25/2020	Intel Atom P5000 Series
Kaby Lake H/S/X	0x906e9	0x2a	0x000000de	5/26/2020	Intel Xeon E3-1200-v6 Series; Intel Xeon E3-1500-v6 Series
Coffee Lake	0x906ea	0x22	0x000000de	5/25/2020	Intel Xeon E-2100 Series; Intel Xeon E-2200 Series (4 or 6 core)
Coffee Lake	0x906eb	0x02	0x000000de	5/25/2020	Intel Xeon E-2100 Series
Coffee Lake	0x906ec	0x22	0x000000de	6/3/2020	Intel Xeon E-2100 Series
Coffee Lake Refresh	0x906ed	0x22	0x000000de	5/24/2020	Intel Xeon E-2200 Series (8 core)

ESXi-6.7.0-20210301001s-no-tools

Profile Name	ESXi-6.7.0-20210301001s-no-tools
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	March 18, 2021
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_esx-update_6.7.0-3.139.17700514 VMware_bootbank_vsan_6.7.0-3.139.17598146 VMware_bootbank_vsanhealth_6.7.0-3.139.17598147 VMware_bootbank_esx-base_6.7.0-3.139.17700514 VMware_bootbank_cpu-microcode_6.7.0-3.139.17700514
PRs Fixed	2704743, 2713501, 2673509
Related CVE numbers	N/A

This patch updates the following issues:

The OpenSSH version is updated to 8.4p1.
The Python third-party library is updated to version 3.5.10.
The ESXi userworld OpenSSL library is updated to version openssl-1.0.2x.
The following VMware Tools ISO images are bundled with ESXi 670-202103001:
- windows.iso: VMware Tools 11.2.5 supports Windows 7 SP1 or Windows Server 2008 R2 SP1 and later.
- linux.iso: VMware Tools 10.3.23 ISO image for Linux OS with glibc 2.11 or later.
- The following VMware Tools ISO images are available for download:
- VMware Tools 10.0.12:
  - winPreVista.iso: for Windows 2000, Windows XP, and Windows 2003.
  - linuxPreGLibc25.iso: for Linux OS with a glibc version less than 2.5.
- VMware Tools 11.0.6:
  - windows.iso: for Windows Vista (SP2) and Windows Server 2008 Service Pack 2 (SP2).
- solaris.iso: VMware Tools image 10.3.10 for Solaris.
- darwin.iso: Supports Mac OS X versions 10.11 and later.
- Follow the procedures listed in the following documents to download VMware Tools for platforms not bundled with ESXi:
- VMware Tools 11.2.5 Release Notes
- Earlier versions of VMware Tools
- What Every vSphere Admin Must Know About VMware Tools
- VMware Tools for hosts provisioned with Auto Deploy
- Updating VMware Tools

Code Name	FMS	Plt ID	MCU Rev	MCU Date	Brand Names
Nehalem EP	0x106a5	0x03	0x0000001d	5/11/2018	Intel Xeon 35xx Series; Intel Xeon 55xx Series
Lynnfield	0x106e5	0x13	0x0000000a	5/8/2018	Intel Xeon 34xx Lynnfield Series
Clarkdale	0x20652	0x12	0x00000011	5/8/2018	Intel i3/i5 Clarkdale Series; Intel Xeon 34xx Clarkdale Series
Arrandale	0x20655	0x92	0x00000007	4/23/2018	Intel Core i7-620LE Processor
Sandy Bridge DT	0x206a7	0x12	0x0000002f	2/17/2019	Intel Xeon E3-1100 Series; Intel Xeon E3-1200 Series; Intel i7-2655-LE Series; Intel i3-2100 Series
Westmere EP	0x206c2	0x03	0x0000001f	5/8/2018	Intel Xeon 56xx Series; Intel Xeon 36xx Series
Sandy Bridge EP	0x206d6	0x6d	0x00000621	3/4/2020	Intel Pentium 1400 Series; Intel Xeon E5-1400 Series; Intel Xeon E5-1600 Series; Intel Xeon E5-2400 Series; Intel Xeon E5-2600 Series; Intel Xeon E5-4600 Series
Sandy Bridge EP	0x206d7	0x6d	0x0000071a	3/24/2020	Intel Pentium 1400 Series; Intel Xeon E5-1400 Series; Intel Xeon E5-1600 Series; Intel Xeon E5-2400 Series; Intel Xeon E5-2600 Series; Intel Xeon E5-4600 Series
Nehalem EX	0x206e6	0x04	0x0000000d	5/15/2018	Intel Xeon 65xx Series; Intel Xeon 75xx Series
Westmere EX	0x206f2	0x05	0x0000003b	5/16/2018	Intel Xeon E7-8800 Series; Intel Xeon E7-4800 Series; Intel Xeon E7-2800 Series
Ivy Bridge DT	0x306a9	0x12	0x00000021	2/13/2019	Intel i3-3200 Series; Intel i7-3500-LE/UE; Intel i7-3600-QE; Intel Xeon E3-1200-v2 Series; Intel Xeon E3-1100-C-v2 Series; Intel Pentium B925C
Haswell DT	0x306c3	0x32	0x00000028	11/12/2019	Intel Xeon E3-1200-v3 Series; Intel i7-4700-EQ Series; Intel i5-4500-TE Series; Intel i3-4300 Series
Ivy Bridge EP	0x306e4	0xed	0x0000042e	3/14/2019	Intel Xeon E5-4600-v2 Series; Intel Xeon E5-2600-v2 Series; Intel Xeon E5-2400-v2 Series; Intel Xeon E5-1600-v2 Series; Intel Xeon E5-1400-v2 Series
Ivy Bridge EX	0x306e7	0xed	0x00000715	3/14/2019	Intel Xeon E7-8800/4800/2800-v2 Series
Haswell EP	0x306f2	0x6f	0x00000044	5/27/2020	Intel Xeon E5-4600-v3 Series; Intel Xeon E5-2600-v3 Series; Intel Xeon E5-2400-v3 Series; Intel Xeon E5-1600-v3 Series; Intel Xeon E5-1400-v3 Series
Haswell EX	0x306f4	0x80	0x00000016	6/17/2019	Intel Xeon E7-8800/4800-v3 Series
Broadwell H	0x40671	0x22	0x00000022	11/12/2019	Intel Core i7-5700EQ; Intel Xeon E3-1200-v4 Series
Avoton	0x406d8	0x01	0x0000012d	9/16/2019	Intel Atom C2300 Series; Intel Atom C2500 Series; Intel Atom C2700 Series
Broadwell EP/EX	0x406f1	0xef	0x0b000038	6/18/2019	Intel Xeon E7-8800/4800-v4 Series; Intel Xeon E5-4600-v4 Series; Intel Xeon E5-2600-v4 Series; Intel Xeon E5-1600-v4 Series
Skylake SP	0x50654	0xb7	0x02006a08	6/16/2020	Intel Xeon Platinum 8100 Series; Intel Xeon Gold 6100/5100, Silver 4100, Bronze 3100 Series; Intel Xeon D-2100 Series; Intel Xeon D-1600 Series; Intel Xeon W-3100 Series; Intel Xeon W-2100 Series
Cascade Lake B-0	0x50656	0xbf	0x04003003	6/18/2020	Intel Xeon Platinum 9200/8200 Series; Intel Xeon Gold 6200/5200; Intel Xeon Silver 4200/Bronze 3200; Intel Xeon W-3200
Cascade Lake	0x50657	0xbf	0x05003003	6/18/2020	Intel Xeon Platinum 9200/8200 Series; Intel Xeon Gold 6200/5200; Intel Xeon Silver 4200/Bronze 3200; Intel Xeon W-3200
Cooper Lake	0x5065b	0xbf	0x0700001f	9/17/2020	Intel Xeon Platinum 8300 Series; Intel Xeon Gold 6300/5300
Broadwell DE	0x50662	0x10	0x0000001c	6/17/2019	Intel Xeon D-1500 Series
Broadwell DE	0x50663	0x10	0x07000019	6/17/2019	Intel Xeon D-1500 Series
Broadwell DE	0x50664	0x10	0x0f000017	6/17/2019	Intel Xeon D-1500 Series
Broadwell NS	0x50665	0x10	0x0e00000f	6/17/2019	Intel Xeon D-1600 Series
Skylake H/S	0x506e3	0x36	0x000000e2	7/14/2020	Intel Xeon E3-1500-v5 Series; Intel Xeon E3-1200-v5 Series
Denverton	0x506f1	0x01	0x00000032	3/7/2020	Intel Atom C3000 Series
Snow Ridge	0x80665	0x01	0x0b000007	2/25/2020	Intel Atom P5000 Series
Kaby Lake H/S/X	0x906e9	0x2a	0x000000de	5/26/2020	Intel Xeon E3-1200-v6 Series; Intel Xeon E3-1500-v6 Series
Coffee Lake	0x906ea	0x22	0x000000de	5/25/2020	Intel Xeon E-2100 Series; Intel Xeon E-2200 Series (4 or 6 core)
Coffee Lake	0x906eb	0x02	0x000000de	5/25/2020	Intel Xeon E-2100 Series
Coffee Lake	0x906ec	0x22	0x000000de	6/3/2020	Intel Xeon E-2100 Series
Coffee Lake Refresh	0x906ed	0x22	0x000000de	5/24/2020	Intel Xeon E-2200 Series (8 core)

Known Issues from Earlier Releases

To view a list of previous known issues, click here.

The earlier known issues are grouped as follows.

CIM Issues
Installation, Upgrade, and Migration Issues
Security Features Issues
Networking Issues
Storage Issues
Backup and Restore Issues
vCenter Server Appliance, vCenter Server, vSphere Web Client, and vSphere Client Issues
Virtual Machine Management Issues
vSphere HA and Fault Tolerance Issues
Auto Deploy and Image Builder Issues
Miscellaneous Issues

CIM Issues

After an upgrade to ESXi670-202004002, you might see a critical warning in the vSphere Client for the fan health of HP Gen10 servers
After an upgrade to ESXi670-202004002, you might see a critical warning in the vSphere Client for the fan health of HP Gen10 servers due to a false positive validation.

Workaround: Follow the steps described in VMware knowledge base article 78989.

Installation, Upgrade, and Migration Issues

ESXi installation or upgrade fail due to memory corruption on HPE ProLiant - DL380/360 Gen 9 Servers
The issue occurs on HPE ProLiant - DL380/360 Gen 9 Servers that have a Smart Array P440ar storage controller.

Workaround: Set the server BIOS mode to UEFI before you install or upgrade ESXi.
After an ESXi upgrade to version 6.7 and a subsequent rollback to version 6.5 or earlier, you might experience failures with error messages
You might see failures and error messages when you perform one of the following on your ESXi host after reverting to 6.5 or earlier versions:
- Install patches and VIBs on the host
  Error message: [DependencyError] VIB VMware_locker_tools-light requires esx-version >= 6.6.0
- Install or upgrade VMware Tools on VMs
  Error message: Unable to install VMware Tools.
After the ESXi rollback from version 6.7, the new tools-light VIB does not revert to the earlier version. As a result, the VIB becomes incompatible with the rolled back ESXi host causing these issues.

Workaround: Perform the following to fix this problem.

SSH to the host and run one of these commands:

esxcli software vib install -v /path/to/tools-light.vib

or

esxcli software vib install -d /path/to/depot/zip -n tools-light

Where the vib and zip are of the currently running ESXi version.

Note: For VMs that already have new VMware Tools installed, you do not have to revert VMware Tools back when ESXi host is rolled back.
Special characters backslash (\) or double-quote (") used in passwords causes installation pre-check to fail
If the special characters backslash (\) or double quote (") are used in ESXi, vCenter Single Sign-On, or operating system password fields during the vCenter Server Appliance Installation templates, the installation pre-check fails with the following error:

Error message: com.vmware.vcsa.installer.template.cli_argument_validation: Invalid \escape: line ## column ## (char ###)

Workaround: If you include special characters backslash (\) or double quote (") in the passwords for ESXi, operating systems, or Single-Sign-On, the special characters need to be escaped. For example, the password pass\word should be escaped as pass\\word.
Windows vCenter Server 6.7 installer fails when non-ASCII characters are present in password
The Windows vCenter Server 6.7 installer fails when the Single Sign-on password contains non-ASCII characters for Chinese, Japanese, Korean, and Taiwanese locales.

Workaround: Ensure that the Single Sign-on password contains ASCII characters only for Chinese, Japanese, Korean, and Taiwanese locales.
Cannot log in to vSphere Appliance Management Interface if the colon character (:) is part of vCenter Server root password
During the vCenter Server Appliance UI installation (Set up appliance VM page of Stage 1), if you include the colon character (:) as part of the vCenter Server root password, logging into the vSphere Appliance Management Interface (https://vc_ip:5480) fails and you are unable to login. The password might be accepted by the password rule check during the setup, but login fails.

Workaround: Do not use the colon character (:) to set the vCenter Server root password in the vCenter Server Appliance UI (Set up appliance VM of Stage 1).
vCenter Server Appliance installation fails when the backslash character (\) is included in the vCenter Single Sign-On password
During the vCenter Server Appliance UI installation (SSO setup page of Stage 2), if you include the backslash character (\) as part of the vCenter Single Sign-On password, the installation fails with the error Analytics Service registration with Component Manager failed. The password might be accepted by the password rule check, but installation fails.

Workaround: Do not use the backslash character (\) to set the vCenter Single Sign-On password in the vCenter Server Appliance UI installer (SSO setup page of Stage 2)
Scripted ESXi installation fails on HP ProLiant Gen 9 Servers with an error
When you perform a scripted ESXi installation on an HP ProLiant Gen 9 Server under the following conditions:
- The Embedded User Partition option is enabled in the BIOS.
- You use multiple USB drives during installation: one USB drive contains the ks.cfg file, and the others USB drive is not formatted and usable.
The installation fails with the error message Partitions not initialized.

Workaround:
1. Disable the Embedded User Partition option in the server BIOS.
2. Format the unformatted USB drive with a file system or unplug it from the server.
Windows vCenter Server 6.0.x or 6.5.x upgrade to vCenter Server 6.7 fails if vCenter Server contains non-ASCII or high-ASCII named 5.5 host profiles
When a source Windows vCenter Server 6.0.x or 6.5.x contains vCenter Server 5.5.x host profiles named with non-ASCII or high-ASCII characters, UpgradeRunner fails to start during the upgrade pre-check process.

Workaround: Before upgrading Windows vCenter Server 6.0.x or 6.5.x to vCenter Server 6.7, upgrade the ESXi 5.5.x with the non-ASCII or high-ASCII named host profiles to ESXi 6.0.x or 6.5.x, then update the host profile from the upgraded host by clicking Copy setting from the hosts.
You cannot run the camregister command with the -x option if the vCenter Single Sign-On password contains non-ASCII characters
When you run the camregister command with the -x file option, for example, to register the vSphere Authentication Proxy, the process fails with an access denied error when the vCenter Single Sign-On password contains non-ASCII characters.

Workaround: Either set up the vCenter Single Sign-On password with ASCII characters, or use the –p password option when you run the camregister command to enter the vCenter Single Sign-On password that contains non-ASCII characters.
The Bash shell and SSH login are disabled after upgrading to vCenter Server 6.7
After upgrading to vCenter Server 6.7, you are not able to access the vCenter Server Appliance using either the Bash shell or SSH login.

Workaround:
1. After successfully upgrading to vCenter Server 6.7, log in to the vCenter Server Appliance Management Interface. In a Web browser, go to: https://appliance_ip_address_or_fqdn:5480
2. Log in as root.
  The default root password is the password you set while deploying the vCenter Server Appliance.
3. Click Access, and click Edit.
4. Edit the access settings for the Bash shell and SSH login.
  When enabling Bash shell access to the vCenter Server Appliance, enter the number of minutes to keep access enabled.
5. Click OK to save the settings.
Management node migration is blocked if vCenter Server for Windows 6.0 is installed on Windows Server 2008 R2 without previously enabling Transport Layer Security 1.2
This issue occurs if you are migrating vCenter Server for Windows 6.0 using an external Platform Services Controller (an MxN topology) on Windows Server 2008 R2. After migrating the external Platform Services Controller (PSC), when you run Migration Assistant on the Management node it fails, reporting that it cannot retrieve the PSC version. This error occurs because Windows Server 2008 R2 does not support Transport Layer Security (TLS) 1.2 by default, which is the default TLS protocol for Platform Services Controller 6.7.

Workaround: Enable TLS 1.2 for Windows Server 2008 R2.1.
1. Navigate to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
2. Create a new folder and label it TLS 1.2.
3. Create two new keys with the TLS 1.2 folder, and name the keys Client and Server.
4. Under the Client key, create two DWORD (32-bit) values, and name them DisabledByDefault and Enabled.
5. Under the Server key, create two DWORD (32-bit) values, and name them DisabledByDefault and Enabled.
6. Ensure that the Value field is set to 0 and that the Base is Hexadecimal for DisabledByDefault.
7. Ensure that the Value field is set to 1 and that the Base is Hexadecimal for Enabled.
8. Reboot the Windows Server 2008 R2 computer.
For more information on using TLS 1.2 with Windows Server 2008 R2, refer to the operating system vendor's documentation.
vCenter Server containing host profiles with version less than 6.0 fails during upgrade to version 6.7
vCenter Server 6.7 does not support host profiles with version less than 6.0. To upgrade to vCenter Server 6.7, you must first upgrade the host profiles to version 6.0 or later, if you have any of the following components:
- ESXi host(s) version - 5.1 or 5.5
- vCenter server version - 6.0 or 6.5
- Host profiles version - 5.1 or 5.5
Workaround: See KB 52932
After upgrading to vCenter Server 6.7, any edits to the ESXi host's /etc/ssh/sshd_config file are discarded, and the file is restored to the vCenter Server 6.7 default configuration
Due to changes in the default values in the /etc/ssh/sshd_config file, the vCenter Server 6.7 upgrade replaces any manual edits to this configuration file with the default configuration. This change was necessary as some prior settings (for example, permitted ciphers) are no longer compatible with current ESXi behavior, and prevented SSHD (SSH daemon) from starting correctly.

CAUTION: Editing /etc/ssh/sshd_config is not recommended. SSHD is disabled by default, and the preferred method for editing the system configuration is through the VIM API (including the ESXi Host Client interface) or ESXCLI.

Workaround: If edits to /etc/ssh/sshd_config are needed, you can apply them after successfully completing the vCenter Server 6.7 upgrade. The default configuration file now contains a version number. Preserve the version number to avoid overwriting the file.

For further information on editing the /etc/ssh/sshd_config file, see the following Knowledge Base articles:
- For information on enabling public/private key authentication, see Knowledge Base article KB 1002866
- For information on changing the default SSHD configuration, see Knowledge Base article KB 1020530

Security Features Issues

Virtualization Based Security (VBS) on vSphere in Windows Guest OSs RS1, RS2 and RS3 require HyperV to be enabled in the Guest OS.
Virtualization Based Security (VBS) on vSphere in Windows Guest OSs RS1, RS2 and RS3 require HyperV to be enabled in the Guest OS.

Workaround: Enable Hyper-V Platform on Windows Server 2016. In the Server Manager, under Local Server select Manage -> Add Roles and Features Wizard and under Role-based or feature-based installation select Hyper-V from the server pool and specify the server roles. Choose defaults for Server Roles, Features, Hyper-V, Virtual Switches, Migration and Default Stores. Reboot the host.

Enable Hyper-V on Windows 10: Browse to Control Panel -> Programs -> Turn Windows features on or off. Check the Hyper-V Platform which includes the Hyper-V Hypervisor and Hyper-V Services. Uncheck Hyper-V Management Tools. Click OK. Reboot the host.

Networking Issues

Hostprofile PeerDNS flags do not work in some scenarios
If PeerDNS for IPv4 is enabled for a vmknic on a stateless host that has an associated host profile, the iPv6PeerDNS might appear with a different state in the extracted host profile after the host reboots.

Workaround: None.
Some Intel network adapters might not be able to receive LLDP packets
Intel network adapters of the series X710, XL710, XXV710, and X722 might not be able to receive LLDP packets. This is due to an on-chip agent running on firmware to consume LLDP frames received from LAN ports. The consumption prevents software depending on LLDP frames, such as virtual distributed switches, to get LLDP packets.

Workaround: To enable Intel network adapters to receive LLDP packets, you must:
1. Use a firmware version >= 6.0
2. Use a driver version >= 1.7.x
3. Configure the LLDP module parameter of i40en to 0.
  For example, to disable LLDP agent on all 4 NICs, run the command:
# esxcli system module parameters set -p "LLDP=0,0,0,0" i40en
The number of 0 parameters should be equal to the number of i40en uplinks on the ESXi host.
When you upgrade vSphere Distributed Switches to version 6.6, you might encounter a few known issues
During upgrade, the connected virtual machines might experience packet loss for a few seconds.

Workaround: If you have multiple vSphere Distributed Switches that need to be upgraded to version 6.6, upgrade the switches sequentially.

Schedule the upgrade of vSphere Distributed Switches during a maintenance window, set DRS mode to manual, and do not apply DRS recommendations for the duration of the upgrade.

For more details about known issues and solutions, see KB 52621
If you use Single Root I/O Virtualization (SR-IOV) and modify a physical function (PF) for the ixgben driver, some virtual machines might lose connectivity
If you use SR-IOV and reset a PF, or first down a PF and then up the PF, virtual machines that use an SR-IOV virtual function for networking might lose connectivity.

Workaround: Reboot the ESXi server and then power on the virtual machines. However, if you use DHCP, the virtual machines IPs might change.
VM fails to power on when Network I/O Control is enabled and all active uplinks are down
A VM fails to power on when Network I/O Control is enabled and the following conditions are met:
- The VM is connected to a distributed port group on a vSphere distributed switch
- The VM is configured with bandwidth allocation reservation and the VM's network adapter (vNIC) has a reservation configured
- The distributed port group teaming policy is set to Failover
- All active uplinks on the distributed switch are down. In this case, vSphere DRS cannot use the standby uplinks and the VM fails to power on.
Workaround: Move the available standby adapters to the active adapters list in the teaming policy of the distributed port group.
If you set identical MAC address and uplink port address on devices using the i40en driver, vmknics might receive duplicate packages
If you manually set the MAC address of a vmknic the same as the uplink port address on devices using the i40en driver, the vmknic might receive duplicate packages in heavy traffic.

Workaround: Do not set the MAC address of a vmknic the same as the uplink port address. For vmk0 management network, where vmnics use the same MAC address and uplink port address by default, do not use the vmnics for heavy workloads.
Network flapping on a NIC that uses qfle3f driver might cause ESXi host to crash
The qfle3f driver might cause the ESXi host to crash (PSOD) when the physical NIC that uses the qfle3f driver experiences frequent link status flapping every 1-2 seconds.

Workaround: Make sure that network flapping does not occur. If the link status flapping interval is more than 10 seconds, the qfle3f driver does not cause ESXi to crash. For more information, see KB 2008093.
Port Mirror traffic packets of ERSPAN Type III fail to be recognized by packet analyzers
A wrong bit that is incorrectly introduced in ERSPAN Type III packet header causes all ERSPAN Type III packets to appear corrupt in packet analyzers.

Workaround: Use GRE or ERSPAN Type II packets, if your traffic analyzer supports these types.
DNS configuration esxcli commands are not supported on non-default TCP/IP stacks
DNS configuration of non-default TCP/IP stacks is not supported. Commands such as esxcli network ip dns server add -N vmotion -s 10.11.12.13 do not work.

Workaround: Do not use DNS configuration esxcli commands on non-default TCP/IP stacks.
Compliance check fails with an error when applying a host profile with enabled default IPv4 gateway for vmknic interface
When applying a host profile with enabled default IPv4 gateway for vmknic interface, the setting is populated with "0.0.0.0" and does not match the host info, resulting with the following error:

IPv4 vmknic gateway configuration doesn't match the specification

Workaround:
1. Edit the host profile settings.
2. Navigate to Networking configuration > Host virtual nic or Host portgroup > (name of the vSphere Distributed Switch or name of portgroup) > IP address settings.
3. From the Default gateway Vmkernal Network Adapter (IPv4) drop-down menu, select Choose a default IPv4 gateway for the vmknic and enter the Vmknic Default IPv4 gateway.
Intel Fortville series NICs cannot receive Geneve encapsulation packets with option length bigger than 255 bytes
If you configure Geneve encapsulation with option length bigger than 255 bytes, the packets are not received correctly on Intel Fortville NICs X710, XL710, and XXV710.

Workaround: Disable hardware VLAN stripping on these NICs by running the following command:

esxcli network nic software set --untagging=1 -n vmnicX.
RSPAN_SRC mirror session fails after migration
When a VM connected to a port assigned for RSPAN_SRC mirror session is migrated to another host, and there is no required pNic on the destination network of the destination host, then the RSPAN_SRC mirror session fails to configure on the port. This causes the port connection to fail failure but the vMotion migration process succeeds.

Workaround: To restore port connection failure, complete either one of the following:
- Remove the failed port and add a new port.
- Disable the port and enable it.
The mirror session fails to configure, but the port connection is restored.

Storage Issues

NFS datastores intermittently become read-only
A host's NFS datastores may become read-only when the NFS vmknic temporarily loses its IP address or after a stateless hosts reboot.

Workaround: You can unmount and remount the datastores to regain connectivity through the NFS vmknic. You can also set the NFS datastore write permission to both the IP address of the NFS vmknic and the IP address of the Management vmknic.
When editing a VM's storage policies, selecting Host-local PMem Storage Policy fails with an error
In the Edit VM Storage Policies dialog, if you select Host-local PMem Storage Policy from the dropdown menu and click OK, the task fails with one of these errors:

The operation is not supported on the object.

or

Incompatible device backing specified for device '0'"Detailed

Workaround: You cannot apply the Host-local PMem Storage Policy to VM home. For a virtual disk, you can use the migration wizard to migrate the virtual disk and apply the Host-local PMem Storage Policy.
Datastores might appear as inaccessible after ESXi hosts in a cluster recover from a permanent device loss state
This issue might occur in the environment where the hosts in the cluster share a large number of datastore, for example, 512 to 1000 datastores.
After the hosts in the cluster recover from the permanent device loss condition, the datastores are mounted successfully at the host level. However, in vCenter Server, several datastores might continue to appear as inaccessible for a number of hosts.

Workaround: On the hosts that show inaccessible datastores in the vCenter Server view, perform the Rescan Storage operation from vCenter Server.
Migration of a virtual machine from a VMFS3 datastore to VMFS5 fails in a mixed ESXi 6.5 and 6.7 host environment
If you have a mixed host environment, you cannot migrate a virtual machine from a VMFS3 datastore connected to an ESXi 6.5 host to a VMFS5 datastore on an ESXi 6.7 host.

Workaround: Upgrade the VMFS3 datastore to VMFS5 to be able to migrate the VM to the ESXi 6.7 host.
Warning message about a VMFS3 datastore remains unchanged after you upgrade the VMFS3 datastore using the CLI
Typically, you use the CLI to upgrade the VMFS3 datastore that failed to upgrade during an ESXi upgrade. The VMFS3 datastore might fail to upgrade due to several reasons including the following:
- No space is available on the VMFS3 datastore.
- One of the extents on the spanned datastore is offline.
After you fix the reason of the failure and upgrade the VMFS3 datastore to VMFS5 using the CLI, the host continues to detect the VMFS3 datastore and reports the following error:

Deprecated VMFS (ver 3) volumes found. Upgrading such volumes to VMFS (ver5) is mandatory for continued availability on vSphere 6.7 host.

Workaround: To remove the error message, restart hostd using the /etc/init.d/hostd restart command or reboot the host.
The Mellanox ConnectX-4/ConnectX-5 native ESXi driver might exhibit performance degradation when its Default Queue Receive Side Scaling (DRSS) feature is turned on
Receive Side Scaling (RSS) technology distributes incoming network traffic across several hardware-based receive queues, allowing inbound traffic to be processed by multiple CPUs. In Default Queue Receive Side Scaling (DRSS) mode, the entire device is in RSS mode. The driver presents a single logical queue to OS and is backed by several hardware queues.

The native nmlx5_core driver for the Mellanox ConnectX-4 and ConnectX-5 adapter cards enables the DRSS functionality by default. While DRSS helps to improve performance for many workloads, it could lead to possible performance degradation with certain multi-VM and multi-vCPU workloads.

Workaround: If significant performance degradation is observed, you can disable the DRSS functionality.
1. Run the esxcli system module parameters set -m nmlx5_core -p DRSS=0 RSS=0 command.
2. Reboot the host.
Datastore name does not extract to the Coredump File setting in the host profile
When you extract a host profile, the Datastore name field is empty in the Coredump File setting of the host profile. Issue appears when using esxcli command to set coredump.

Workaround:
1. Extract a host profile from an ESXi host.
2. Edit the host profile settings and navigate to General System Settings > Core Dump Configuration > Coredump File.
3. Select Create the Coredump file with an explicit datastore and size option and enter the Datastore name, where you want the Coredump File to reside.
Native software FCoE adapters configured on an ESXi host might disappear when the host is rebooted
After you successfully enable the native software FCoE adapter (vmhba) supported by the vmkfcoe driver and then reboot the host, the adapter might disappear from the list of adapters. This might occur when you use Cavium QLogic 57810 or QLogic 57840 CNAs supported by the qfle3 driver.

Workaround: To recover the vmkfcoe adapter, perform these steps:
1. Run the esxcli storage core adapter list command to make sure that the adapter is missing from the list.
2. Verify the vSwitch configuration on vmnic associated with the missing FCoE adapter.
3. Run the following command to discover the FCoE vmhba:
  - On a fabric setup:
    #esxcli fcoe nic discover -n vmnic_number
  - On a VN2VN setup:
    #esxcli fcoe nic discover -n vmnic_number
Attempts to create a VMFS datastore on an ESXi 6.7 host might fail in certain software FCoE environments
Your attempts to create the VMFS datastore fail if you use the following configuration:
- Native software FCoE adapters configured on an ESXi 6.7 host.
- Cavium QLogic 57810 or 57840 CNAs.
- Cisco FCoE switch connected directly to an FCoE port on a storage array from the Dell EMC VNX5300 or VNX5700 series.
Workaround: None.

As an alternative, you can switch to the following end-to-end configuration:
ESXi host > Cisco FCoE switch > FC switch > storage array from the DELL EMC VNX5300 and VNX5700 series.

Backup and Restore Issues

Windows Explorer displays some backups with unicode differently from how browsers and file system paths show them
Some backups containing unicode display differently in the Windows Explorer file system folder than they do in browsers and file system paths.

Workaround: Using http, https, or ftp, you can browse backups with your web browser instead of going to the storage folder locations through Windows Explorer.

vCenter Server Appliance, vCenter Server, vSphere Web Client, and vSphere Client Issues

The time synchronization mode setting is not retained when upgrading vCenter Server Appliance
If NTP time synchronization is disabled on a source vCenter Server Appliance, and you perform an upgrade to vCenter Server Appliance 6.7, after the upgrade has successfully completed NTP time synchronization will be enabled on the newly upgraded appliance.

Workaround:
1. After successfully upgrading to vCenter Server Appliance 6.7, log into the vCenter Server Appliance Management Interface as root.
  The default root password is the password you set while deploying the vCenter Server Appliance.
```
 https://IP_or_FQDN_of_appliance:5480
```
2. In the vCenter Server Appliance Management Interface, click Time.
3. In the Time Synchronization pane, click Edit.
4. From the Mode drop-down menu, select Disabled.
  The newly upgraded vCenter Server Appliance 6.7 will no longer use NTP time synchronization, and will instead use the system time zone settings.
Login to vSphere Web Client with Windows session authentication fails on Firefox browsers of version 54 or later
If you use Firefox of version 54 or later to log in to the vSphere Web Client, and you use your Windows session for authentication, the VMware Enhanced Authentication Plugin might fail to populate your user name and to log you in.

Workaround: If you are using Windows session authentication to log in to the vSphere Web Client, use one of the following browsers: Internet Explorer, Chrome, or Firefox of version 53 and earlier.
vCenter hardware health alarm notifications are not triggered in some instances
When multiple sensors in the same category on an ESXi host are tripped within a time span of less than five minutes, traps are not received and email notifications are not sent.

Workaround: None. You can check the hardware sensors section for any alerts.
When using the VCSA Installer Time Sync option, you must connect the target ESX to the NTP server in the Time & Date Setting from the ESX Management
If you want to select Time Sync with NTP server from the VCSA Installer->Stage2->Appliance configuration->Time Sync option (ESX/NTP server), you also need to have the target ESX already connected to NTP server in the Time&Date Setting from the ESX Management, otherwise it'll fail in installation.

Workaround:
1. Set the Time Sync option in stage2->Appliance configuration to sync with ESX
2. Set the Time Sync option in stage2->Appliance configuration to sync with NTP Servers, make sure both the ESX and VC are set to connect to NTP servers.
When you monitor Windows vCenter Server health, an error message appears
Health service is not available for Windows vCenter Server. If you select the vCenter Server, and click Monitor > Health, an error message appears:

Unable to query vSAN health information. Check vSphere Client logs for details.

This problem can occur after you upgrade the Windows vCenter Server from release 6.0 Update 1 or 6.0 Update 2 to release 6.7. You can ignore this message.
Workaround: None. Users can access vSAN health information through the vCenter Server Appliance.
vCenter hardware health alarms do not function with earlier ESXi versions
If ESXi version 6.5 Update 1 or earlier is added to vCenter 6.7, hardware health related alarms will not be generated when hardware events occur such as high CPU temperatures, FAN failures, and voltage fluctuations.

Workaround: None.
vCenter Server stops working in some cases when using vmodl to edit or expand a disk
When you configure a VM disk in a Storage DRS-enabled cluster using the latest vmodl, vCenter Server stops working. A previous workaround using an earlier vmodl no longer works and will also cause vCenter Server to stop working.

Workaround: None
vCenter Server for Windows migration to vCenter Server Appliance fails with error
When you migrate vCenter Server for Windows 6.0.x or 6.5.x to vCenter Server Appliance 6.7, the migration might fail during the data export stage with the error: The compressed zip folder is invalid or corrupted.

Workaround: You must zip the data export folder manually and follow these steps:
1. In the source system, create an environment variable MA_INTERACTIVE_MODE.
2. Go to Computer > Properties > Advanced system settings > Environment Variables > System Variables > New.
3. Enter "MA_INTERACTIVE_MODE" as variable name with value 0 or 1.
4. Start the VMware Migration Assistant and provide your password.
5. Start the Migration from the client machine. The migration will pause, and the Migration Assistant console will display the message To continue the migration, create the export.zip file manually from the export data (include export folder).
6. NOTE: Do not press any keys or tabs on the Migration Assistant console.
7. Go to the %appdata%\vmware\migration-assistant folder.
8. Delete the export.zip created by the Migration Assistant.
9. To continue the migration, manually create the export.zip file from the export folder.
10. Return to the Migration Assistant console. Type Y and press Enter.
Discrepancy between the build number in VAMI and the build number in the vSphere Client
In vSphere 6.7, the VAMI summary tab displays the ISO build for the vCenter Server and vCenter Server Appliance products. The vSphere Client summary tab displays the build for the vCenter product, which is a component within the vCenter Server product.

Workaround: None
vCenter Server Appliance 6.7 displays an error message in the Available Update section of the vCenter Server Appliance Management Interface (VAMI)
The Available Update section of the vCenter Server Appliance Management Interface (VAMI) displays the following error message:

Check the URL and try again.

This message is generated when the vCenter Server Appliance searches for and fails to find a patch or update. No functionality is impacted by this issue. This issue will be resolved with the release of the first patch for vSphere 6.7.

Workaround: None. No functionality is impacted by this issue.

Virtual Machine Management Issues

Name of the virtual machine in the inventory changes to its path name
This issue might occur when a datastore where the VM resides enters the All Paths Down state and becomes inaccessible. When hostd is loading or reloading VM state, it is unable to read the VM's name and returns the VM path instead. For example, /vmfs/volumes/123456xxxxxxcc/cs-00.111.222.333.

Workaround: After you resolve the storage issue, the virtual machine reloads, and its name is displayed again.
You must select the "Secure boot" Platform Security Level when enabling VBS in a Guest OS on AMD systems
On AMD systems, vSphere virtual machines do not provide a vIOMMU. Since vIOMMU is required for DMA protection, AMD users cannot select "Secure Boot and DMA protection" in the Windows Group Policy Editor when they "Turn on Virtualization Based Security". Instead select "Secure boot." If you select the wrong option it will cause VBS services to be silently disabled by Windows.

Workaround: Select "Secure boot" Platform Security Level in a Guest OS on AMD systems.
You cannot hot add memory and CPU for Windows VMs when Virtualization Based Security (VBS) is enabled within Windows
Virtualization Based Security (VBS) is a new feature introduced in Windows 10 and Windows Server 2016. vSphere supports running Windows with VBS enabled starting in the vSphere 6.7 release. However, Hot add of memory and CPU will not operate for Windows VMs when Virtualization Based Security (VBS) is enabled.

Workaround: Power-off the VM, change memory or CPU settings and power-on the VM.
Snapshot tree of a linked-clone VM might be incomplete after a vSAN network recovery from a failure
A vSAN network failure might impact accessibility of vSAN objects and VMs. After a network recovery, the vSAN objects regain accessibility. The hostd service reloads the VM state from storage to recover VMs. However, for a linked-clone VM, hostd might not detect that the parent VM namespace has recovered its accessibility. This results in the VM remaining in inaccessible state and VM snapshot information not being displayed in vCenter Server.

Workaround: Unregister the VM, then re-register it to force the hostd to reload the VM state. Snapshot information will be loaded from storage.
An OVF Virtual Appliance fails to start in the vSphere Client
The vSphere Client does not support selecting vService extensions in the Deploy OVF Template wizard. As a result, if an OVF virtual appliance uses vService extensions and you use the vSphere Client to deploy the OVF file, the deployment succeeds, but the virtual appliance fails to start.

Workaround: Use the vSphere Web Client to deploy OVF virtual appliances that use vService extensions.

vSphere HA and Fault Tolerance Issues

When you configure Proactive HA in Manual/MixedMode in vSphere 6.7 RC build you are prompted twice to apply DRS recommendations
When you configure Proactive HA in Manual/MixedMode in vSphere 6.7 RC build and a red health update is sent from the Proactive HA provider plug-in, you are prompted twice to apply the recommendations under Cluster -> Monitor -> vSphere DRS -> Recommendations. The first prompt is to enter the host into maintenance mode. The second prompt is to migrate all VMs on a host entering maintenance mode. In vSphere 6.5, these two steps are presented as a single recommendation for entering maintenance mode, which lists all VMs to be migrated.

Workaround: There is no impact to work flow or results. You must apply the recommendations twice. If you are using automated scripts, you must modify the scripts to include the additional step.
Lazy import upgrade interaction when VCHA is not configured
The VCHA feature is available as part of 6.5 release. As of 6.5, a VCHA cluster cannot be upgraded while preserving the VCHA configuration. The recommended approach for upgrade is to first remove the VCHA configuration either through vSphere Client or by calling a destroy VCHA API. So for lazy import upgrade workflow without VCHA configuration, there is no interaction with VCHA.

Do not configure a fresh VCHA setup while lazy import is in progress. The VCHA setup requires cloning the Active VM as Passive/Witness VM. As a result of an ongoing lazy import, the amount of data that needs to be cloned is large and may lead to performance issues.

Workaround: None.

Auto Deploy and Image Builder Issues

Reboot of an ESXi stateless host resets the numRxQueue value of the host
When an ESXi host provisioned with vSphere Auto Deploy reboots, it loses the previously set numRxQueue value. The Host Profiles feature does not support saving the numRxQueue value after the host reboots.

Workaround: After the ESXi stateless host reboots:
1. Remove the vmknic from the host.
2. Create a vmknic on the host with the expected numRxQueue value.
After caching on a drive, if the server is in the UEFI mode, a boot from cache does not succeed unless you explicitly select the device to boot from the UEFI boot manager
In case of Stateless Caching, after the ESXi image is cached on a 512n, 512e, USB, or 4Kn target disk, the ESXi stateless boot from autodeploy might fail on a system reboot. This occurs if autodeploy service is down.

The system attempts to search for the cached ESXi image on the disk, next in the boot order. If the ESXi cached image is found, the host is booted from it. In legacy BIOS, this feature works without problems. However, in the UEFI mode of the BIOS, the next device with the cached image might not be found. As a result, the host cannot boot from the image even if the image is present on the disk.

Workaround: If autodeploy service is down, on the system reboot, manually select the disk with the cached image from the UEFI Boot Manager.
ESXi 6.7 host profiles might not support PEERDNS from vmknics that are attached to a VMware NSX-T based opaque network
In certain cases, host profiles on ESXi 6.7 might not support PEERDNS from vmknics that are attached to an NSX-T based opaque network. The issue is specific to a scenario when you navigate to Host > Configure > TCP/IP configuration > Default > DNS configuration > Obtain settings automatically from a VMkernel network adapter. If you select a vmknic that is connected to a NSX-T based opaque network, host profiles extracted from this host do not work. Such host profiles lack the Portgroup backing the vmkernel network adapter to be used for DNS policy in the DNS subprofile. Editing the host profile gives a validation error.

Workaround: None. Do not select PEERDNS from a vmknic that is connected to an NSX-T based opaque network.
A stateless ESXi host boot time might take 20 minutes or more
The booting of a stateless ESXi host with 1,000 configured datastores might require 20 minutes or more.

Workaround: None.

Miscellaneous Issues

ESXi might fail during reboot with VMs running on the iSCSI LUNs claimed by the qfle3i driver
ESXi might fail during reboot with VMs running on the iSCSI LUNs claimed by the qfle3i driver if you attempt to reboot the server with VMs in the running I/O state.

Workaround: First power off VMs and then reboot the ESXi host.
VXLAN stateless hardware offloads are not supported with Guest OS TCP traffic over IPv6 on UCS VIC 13xx adapters
You may experience issues with VXLAN encapsulated TCP traffic over IPv6 on Cisco UCS VIC 13xx adapters configured to use the VXLAN stateless hardware offload feature. For VXLAN deployments involving Guest OS TCP traffic over IPV6, TCP packets subject to TSO are not processed correctly by the Cisco UCS VIC 13xx adapters, which causes traffic disruption. The stateless offloads are not performed correctly. From a TCP protocol standpoint this may cause incorrect packet checksums being reported to the ESXi software stack, which may lead to incorrect TCP protocol processing in the Guest OS.

Workaround: To resolve this issue, disable the VXLAN stateless offload feature on the Cisco UCS VIC 13xx adapters for VXLAN encapsulated TCP traffic over IPV6. To disable the VXLAN stateless offload feature in UCS Manager, disable the Virtual Extensible LAN field in the Ethernet Adapter Policy. To disable the VXLAN stateless offload feature in the CIMC of a Cisco C-Series UCS server, uncheck Enable VXLAN field in the Ethernet Interfaces vNIC properties section.
Significant time might be required to list a large number of unresolved VMFS volumes using the batch QueryUnresolvedVmfsVolume API
ESXi provides the batch QueryUnresolvedVmfsVolume API, so that you can query and list unresolved VMFS volumes or LUN snapshots. You can then use other batch APIs to perform operations, such as resignaturing specific unresolved VMFS volumes. By default, when the API QueryUnresolvedVmfsVolume is invoked on a host, the system performs an additional filesystem liveness check for all unresolved volumes that are found. The liveness check detects whether the specified LUN is mounted on other hosts, whether an active VMFS heartbeat is in progress, or if there is any filesystem activity. This operation is time consuming and requires at least 16 seconds per LUN. As a result, when your environment has a large number of snapshot LUNs, the query and listing operation might take significant time.

Workaround: To decrease the time of the query operation, you can disable the filesystem liveness check.
1. Log in to your host as root.
2. Open the configuration file for hostd using a text editor. The configuration file is located in /etc/vmware/hostd/config.xml under plugins/hostsvc/storage node.
3. Add the checkLiveFSUnresolvedVolume parameter and set its value to FALSE. Use the following syntax:
  <checkLiveFSUnresolvedVolume>FALSE</checkLiveFSUnresolvedVolume>
As an alternative, you can set the ESXi Advanced option VMFS.UnresolvedVolumeLiveCheck to FALSE in the vSphere Client.
Compliance check fails with an error for the UserVars.ESXiVPsDisabledProtocols option when an ESXi host upgraded to version 6.7 is attached to a host profile with version 6.0
Issue occurs when you perform the following actions:
1. Extract a host profile from an ESXi host with version 6.0.
2. Upgrade the ESXi host to version 6.7.
3. The host appears as non-compliant for UserVars.ESXiVPsDisabledProtocols option even after remediation.
Workaround:
- Extract a new host profile from the upgraded ESXi host and attach the host to the profile.
- Upgrade the host profile by using the Copy Settings from Host from the upgraded ESXi host.
Мanually triggering a non-maskable interrupt (NMI) might not work оn a vCenter Server system with an AMD EPYC 7002 series processor
Requesting an NMI from the hardware management console (BMC) or by pressing a physical NMI button should cause ESXi hosts to fail with a purple diagnostic screen and dump core. Instead, nothing happens and ESXi continues running.

Workaround: Disable the use of the interrupt remapper by setting the kernel boot option iovDisableIR to TRUE:
1. Set iovDisableIR=TRUE by using this command: # esxcli system settings kernel set -s iovDisableIR -v TRUE
2. Reboot the ESXi host.
3. After the reboot, verify that iovDisableIR is set to TRUE: # esxcli system settings kernel list |grep iovDisableIR.
Do not apply this workaround unless you need it to solve this specific problem.
A virtual machine that has a PCI passthrough device assigned to it might fail to power on in a vCenter Server system with an AMD EPYC 7002 series processor
In specific vCenter Server system configurations and devices, such as AMD EPYC 7002 series processors, a virtual machine that has a PCI passthrough device assigned to it might fail to power on. In the vmkernel log, you can see a similar message:
4512 2019-08-06T06:09:55.058Z cpu24:1001397137)AMDIOMMU: 611: IOMMU 0000:20:00.2: Failed to allocate IRTE for IOAPIC ID 243 vector 0x3f 4513 2019-08-06T06:09:55.058Z cpu24:1001397137)WARNING: IOAPIC: 1238: IOAPIC Id 243: Failed to allocate IRTE for vector 0x3f

Workaround: Disable the use of the interrupt remapper by setting the kernel boot option iovDisableIR to TRUE:
1. Set iovDisableIR=TRUE by using this command: # esxcli system settings kernel set -s iovDisableIR -v TRUE
2. Reboot the ESXi host.
3. After the reboot, verify that iovDisableIR is set to TRUE: # esxcli system settings kernel list |grep iovDisableIR.
Do not apply this workaround unless you need it to solve this specific problem.
Quiescing operations of virtual machines on volumes backed by LUNs supporting unmap granularity value greater than 1 MB might take longer than usual
VMFS datastores backed by LUNs that have optimal unmap granularity greater than 1 MB might get into repeated on-disk locking during the automatic unmap processing. This can result in longer running quiescing operations for virtual machines on such datastores.

Workaround: Disable automatic unmapping on volumes backed by LUNs that have optimal unmap granularity greater than 1 MB.
Due to unavailable P2M slots during migration by using vSphere vMotion, virtual machines might fail or power off
Memory resourcing for virtual machines that require more memory, such as 3D devices, might cause an overflow of the P2M buffer during migration by using vSphere vMotion. As a result, shared memory pages might break. The virtual machines might fail or power off. You might see an error message similar to P2M reservation failed after max retries.

Workaround: To manually configure the P2M buffer, follow the steps from VMware knowledge base article 76387.
If you restore a storage device configuration backed up by using backup.sh after more than 7 days, some settings might be lost
If you restore backup after more than 7 days, storage device settings, such as Is perennially reserved, might be lost. This happens because the last seen timestamps of devices also get backed up and if the device has not been active for more than 7 days, device entries from /etc/vmware/esx.conf are deleted. As a result, the restore operation might restore older timestamps.

Workaround: None.
Upgrades to ESXi670-202004002 might fail due to the replacement of an expired digital signing certificate and key
Upgrades to ESXi670-202004002 from some earlier versions of ESXi might fail due to the replacement of an expired digital signing certificate and key. If you use ESXCLI, you see a message Could not find a trusted signer. If you use vSphere Update Manager, you see a message similar to cannot execute upgrade script on host.

Workaround: For more details on the issue and workaround, see VMware knowledge base article 76555.
Attempts to enable vSphere HA on a UEFI Secure Boot enabled cluster might fail with a timeout error
Configuring vSphere HA on a UEFI Secure Boot enabled cluster might fail with Operation Timed Out error due to a change in the ESXi VIB certificates.

Workaround: The Fault Domain Manager VIB is signed with a new ESXi VIB certificate and you must upgrade ESXi hosts to a later versions. For more information on the impacted ESXi versions, see VMware knowledge base article 76555.
After upgrade to ESXi 6.7, networking workloads on Intel 10GbE NICs cause higher CPU utilization
If you run certain types of networking workloads on an upgraded ESXi 6.7 host, you might see a higher CPU utilization under the following conditions:
- The NICs on the ESXi host are from the Intel 82599EB or X540 families
- The workload involves multiple VMs that run simultaneously and each VM is configured with multiple vCPUs
- Before the upgrade to ESXi 6.7, the VMKLinux ixgbe driver was used
Workaround: Revert to the legacy VMKLinux ixgbe driver:
1. Connect to the ESXi host and run the following command:
  # esxcli system module set -e false -m ixgben
2. Reboot the host.
Note: The legacy VMKLinux ixgbe inbox driver version 3.7.x does not support Intel X550 NICs. Use the VMKLinux ixgbe async driver version 4.x with Intel X550 NICs.
Unable to unstage patches when using an external Platform Services Controller
If you are patching an external Platform Services Controller (an MxN topology) using the VMWare Appliance Management Interface with patches staged to an update repository, and then attempt to unstage the patches, the following error message is reported: Error in method invocation [Errno 2] No such file or directory: '/storage/core/software-update/stage'

Workaround:
1. Access the appliance shell and log in as a user who has a super administrator role.
2. Run the command software-packages unstage to unstage the staged patches. All directories and files generated by the staging process are removed.
3. Refresh the VMware Appliance Management Interface, which will now report the patches as being removed.
Initial install of DELL CIM VIB might fail to respond
After you install a third-party CIM VIB it might fail to respond.

Workaround: To fix this issue, enter the following two commands to restart sfcbd:
1. esxcli system wbem set --enable false
2. esxcli system wbem set --enable true

To collapse the list of previous known issues, click here.