ESXi 6.7 Update 2 | APR 11 2019 | ISO Build 13006603

What's in the Release Notes

The release notes cover the following topics:

What's New
Earlier Releases of ESXi 6.7
Product Support Notices
Upgrade Notes for This Release
Patches Contained in this Release
Resolved Issues
Known Issues

What's New

Solarflare native driver: ESXi 6.7 Update 2 adds Solarflare native driver (sfvmk) support for Solarflare 10G and 40G network adaptor devices, such as SFN8542 and SFN8522.
Virtual Hardware Version 15: ESXi 6.7 Update 2 introduces Virtual Hardware Version 15 which adds support for creating virtual machines with up to 256 virtual CPUs. For more information, see VMware knowledge base articles 1003746 and 2007240.
Standalone ESXCLI command package: ESXi 6.7 Update 2 provides a new Standalone ESXCLI package for Linux, separate from the vSphere Command Line Interface (vSphere CLI) installation package. The ESXCLI, which is a part of the vSphere CLI, is not updated for ESXi 6.7 Update 2. Although the vSphere CLI installation package is deprecated for this release and is still available for download, you must not install it together with the new Standalone ESXCLI for Linux package. For information about downloading and installing the Standalone ESXCLI package, see VMware {code}.
In ESXi 6.7 Update 2, the Side-Channel-Aware Scheduler is updated to enhance the compute performance for ESXi hosts that are mitigated for speculative execution hardware vulnerabilities. For more information, see VMware knowledge base article 55806.
ESXi 6.7 update 2 adds support for VMFS6 automatic unmap processing on storage arrays and devices that report to ESXi hosts an unmap granularity value greater than 1 MB. On arrays that report granularity of 1 MB and less, the unmap operation is supported if the granularity is a factor of 1 MB.
ESXi 6.7 update 2 adds VMFS6 to the list of supported file systems by the vSphere On-disk Metadata Analyzer (VOMA) to allow you to check and fix issues with VMFS volumes metadata, LVM metadata, and partition table inconsistencies.

Earlier Releases of ESXi 6.7

Features and known issues of ESXi are described in the release notes for each release. Release notes for earlier releases of ESXi 6.7 are:

For internationalization, compatibility, installation and upgrade, and open source components, see the VMware vSphere 6.7 Release Notes.

Product Support Notices

VMware vSphere Flash Read Cache is being deprecated. While this feature continues to be supported in the vSphere 6.7 generation, it will be discontinued in a future vSphere release. As an alternative, you can use the vSAN caching mechanism or any VMware certified third-party I/O acceleration software listed in the VMware Compatibility Guide.

Upgrade Notes for This Release

For more information on ESXi versions that support upgrade to ESXi 6.7 Update 2, please see VMware knowledge base article 67077.

Patches Contained in this Release

This release contains all bulletins for ESXi that were released earlier to the release date of this product.

Build Details

Download Filename:	update-from-esxi6.7-6.7_update02.zip
Build:	13006603 12986307 (Security-only)
Download Size:	453.0 MB
md5sum:	afb6642c5f78212683d9d9a1e9dde6bc
sha1checksum:	783fc0a2a457677e69758969dadc6421e5a7c17a
Host Reboot Required:	Yes
Virtual Machine Migration or Shutdown Required:	Yes

Bulletins

This release contains general and security-only bulletins. Security-only bulletins are applicable to new security fixes only. No new bug fixes are included, but bug fixes from earlier patch and update releases are included.
If the installation of all new security and bug fixes is required, you must apply all bulletins in this release. In some cases, the general release bulletin will supersede the security-only bulletin. This is not an issue as the general release bulletin contains both the new security and bug fixes.
The security-only bulletins are identified by bulletin IDs that end in "SG". For information on patch and update classification, see KB 2014447.
For more information about the individual bulletins, see the My VMware page and the Resolved Issues section.

Bulletin ID	Category	Severity
ESXi670-201904201-UG	Bugfix	Critical
ESXi670-201904202-UG	Bugfix	Important
ESXi670-201904203-UG	Bugfix	Important
ESXi670-201904204-UG	Bugfix	Important
ESXi670-201904205-UG	Bugfix	Important
ESXi670-201904206-UG	Bugfix	Important
ESXi670-201904207-UG	Bugfix	Moderate
ESXi670-201904208-UG	Bugfix	Important
ESXi670-201904209-UG	Enhancement	Important
ESXi670-201904210-UG	Enhancement	Important
ESXi670-201904211-UG	Bugfix	Critical
ESXi670-201904212-UG	Bugfix	Important
ESXi670-201904213-UG	Bugfix	Important
ESXi670-201904214-UG	Bugfix	Important
ESXi670-201904215-UG	Bugfix	Moderate
ESXi670-201904216-UG	Bugfix	Important
ESXi670-201904217-UG	Bugfix	Important
ESXi670-201904218-UG	Bugfix	Important
ESXi670-201904219-UG	Bugfix	Important
ESXi670-201904220-UG	Bugfix	Important
ESXi670-201904221-UG	Bugfix	Important
ESXi670-201904222-UG	Bugfix	Moderate
ESXi670-201904223-UG	Bugfix	Important
ESXi670-201904224-UG	Bugfix	Important
ESXi670-201904225-UG	Enhancement	Important
ESXi670-201904226-UG	Bugfix	Important
ESXi670-201904227-UG	Bugfix	Important
ESXi670-201904228-UG	Bugfix	Important
ESXi670-201904229-UG	Bugfix	Important
ESXi670-201904101-SG	Security	Important
ESXi670-201904102-SG	Security	Important
ESXi670-201904103-SG	Security	Important

IMPORTANT: For clusters using VMware vSAN, you must first upgrade the vCenter Server system. Upgrading only ESXi is not supported.
Before an upgrade, always verify in the VMware Product Interoperability Matrix compatible upgrade paths from earlier versions of ESXi and vCenter Server to the current version.

Image Profiles

VMware patch and update releases contain general and critical image profiles.

Application of the general release image profile applies to new bug fixes.

Image Profile Name

ESXi-6.7.0-20190402001-standard

ESXi-6.7.0-20190402001-no-tools

ESXi-6.7.0-20190401001s-standard

ESXi-6.7.0-20190401001s-no-tools

Patch Download and Installation

The typical way to apply patches to ESXi hosts is through the VMware vSphere Update Manager. For details, see the About Installing and Administering VMware vSphere Update Manager.

ESXi hosts can be updated by manually downloading the patch ZIP file from the VMware download page and installing the VIB by using the esxcli software vib command. Additionally, the system can be updated using the image profile and the esxcli software profile command.

For more information, see the vSphere Command-Line Interface Concepts and Examples and the vSphere Upgrade Guide.

Resolved Issues

The resolved issues are grouped as follows.

ESXi670-201904201-UG
ESXi670-201904202-UG
ESXi670-201904203-UG
ESXi670-201904204-UG
ESXi670-201904205-UG
ESXi670-201904206-UG
ESXi670-201904207-UG
ESXi670-201904208-UG
ESXi670-201904209-UG
ESXi670-201904210-UG
ESXi670-201904211-UG
ESXi670-201904212-UG
ESXi670-201904213-UG
ESXi670-201904214-UG
ESXi670-201904215-UG
ESXi670-201904216-UG
ESXi670-201904217-UG
ESXi670-201904218-UG
ESXi670-201904219-UG
ESXi670-201904220-UG
ESXi670-201904221-UG
ESXi670-201904222-UG
ESXi670-201904223-UG
ESXi670-201904224-UG
ESXi670-201904225-UG
ESXi670-201904226-UG
ESXi670-201904227-UG
ESXi670-201904228-UG
ESXi670-201904229-UG
ESXi670-201904101-SG
ESXi670-201904102-SG
ESXi670-201904103-SG
ESXi-6.7.0-20190402001-standard
ESXi-6.7.0-20190402001-no-tools
ESXi-6.7.0-20190401001s-standard
ESXi-6.7.0-20190401001s-no-tools

ESXi670-201904201-UG

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_vsanhealth_6.7.0-2.48.12775454 VMware_bootbank_vsan_6.7.0-2.48.12775451 VMware_bootbank_esx-base_6.7.0-2.48.13006603 VMware_bootbank_esx-update_6.7.0-2.48.13006603
PRs Fixed	2227123, 2250472, 2273186, 2282052, 2267506, 2256771, 2269616, 2250697, 2193516, 2203431, 2264996, 2267158, 2231707, 2191342, 2197795, 2221935, 2193830, 2210364, 2177107, 2179263, 2185906, 2204508, 2211350, 2204204, 2226565, 2240385, 2163397, 2238134, 2213883, 2141221, 2240444, 2249713, 2184068, 2257480, 2235031, 2257354, 2212140, 2279897, 2227623, 2277648, 2221778, 2287560, 2268541, 2203837, 2236531, 2242656, 2250653, 2260748, 2256001, 2266762, 2263849, 2267698, 2271653, 2232538, 2210056, 2271322, 2272737, 2286563, 2178119, 2223879, 2221256, 2258272, 2219661, 2268826, 2224767, 2257590, 2241917, 2246891, 2269308
CVE numbers	N/A

This patch updates the esx-base, esx-update, vsan and vsanhealth VIBs to resolve the following issues:

PR 2227123: Very large values of counters for read or write disk latency might trigger alarms
You might intermittently see alarms for very large values of counters for read or write disk latency, such as datastore.totalReadLatency and datastore.totalWriteLatency.

This issue is resolved in this release.
PR 2250472: Linux virtual machines might stop responding while powering on due to some memory size configurations
When a Linux virtual machine is configured with specific memory size, such as 2052 MB or 2060 MB, instead of powering on, it might display a blank screen.

This issue is resolved in this release.
PR 2273186: An ESXi host might fail when you enable a vSphere Distributed Switch health check
When you set up the network and enable vSphere Distributed Switch health check to perform configuration checks, the ESXi host might fail with purple diagnostic screen.

This issue is resolved in this release.
PR 2282052: The SNMP agent might deliver an incorrect trap vmwVmPoweredOn
The SNMP agent might deliver an incorrect trap vmwVmPoweredOn when a virtual machine is selected under the Summary tab and the Snapshot Manager tab in the vSphere Web Client.

This issue is resolved in this release.
PR 2267506: An ESXi host might fail with purple diagnostic screen at DVFilter level
The DVFilter might receive unexpected or corrupt values in the shared memory ring buffer, causing the internal function to return NULL. If this NULL value is not handled gracefully, an ESXi host might fail with purple diagnostic screen at DVFilter level.

This issue is resolved in this release.
PR 2256771: You might see an unnecessary event message for network connectivity restored on virtual switch when powering on or off virtual machines
In the Events tab of the vSphere Client or the vSphere Web Client, when you power on or off virtual machines, you might see events similar to Network connectivity restored on virtual switch XXX, portgroups: XXX. Physical NIC vmnicX is up. When checking uplink status, the system report might include port groups that are not affected by the virtual machine powering on or off operation, which triggers the event. However, the event does not indicate a problem or prompt an action.

This issue is resolved in this release. The event message is removed.
PR 2250697: Windows Server Failover Cluster validation might fail if you configure Virtual Volumes with a Round Robin path policy
If during the Windows Server Failover Cluster setup you change the default path policy from Fixed or Most Recently Used to Round Robin, the I/O of the cluster might fail and the cluster might stop responding.

This issue is resolved in this release.
PR 2193516: Host Profile remediation might end with deleting a virtual network adapter from the VMware vSphere Distributed Switch
If you extract a Host Profile from an ESXi host with disabled IPv6 support, and the IPv4 default gateway is overridden while remediating that Host Profile, you might see a message that a virtual network adapter, such as DSwitch0, is to be created on the vSphere Distributed Switch (VDS), but the adapter is actually removed from the VDS. This is due to a "::" value of the ipV6DefaultGateway parameter.

This issue is resolved in this release.
PR 2203431: Some guest virtual machines might report their identity as an empty string
Some guest virtual machines might report their identity as an empty string if the guest is running a later version of VMware Tools than the ESXi host was released with, or if the host cannot recognize the guestID parameter of the GuestInfo object. The issue affects mainly virtual machines with CentOS and VMware Photon OS.

This issue is resolved in this release.
PR 2264996: You see repetitive messages in the vCenter Web Client prompting you to delete host sub specifications nsx
You might see repetitive messages in the vCenter Web Client, similar to Delete host sub specification nsx if you use network booting for ESXi hosts, due to some dummy code in hostd.

This issue is resolved in this release.
PR 2231707: The virtual machine might stop responding if the AutoInstalls ISO image file is mounted
The installation of the VMware Tools unmounts the ISO image file that ends with autoinst.iso, if it is already mounted to the virtual machine. To mount the VMware Tools ISO image file, you must click Install VMware Tools again. As a result, the virtual machine might stop responding.

This issue is resolved in this release.
Pr 2267158: ESXi hosts might lose connectivity to the vCenter Sever system due to failure of the vpxa agent service
ESXi hosts might lose connectivity to the vCenter Sever system due to failure of the vpxa agent service in result of an invalid property update generated by the PropertyCollector object. A race condition in hostd leads to a malformed sequence of property update notification events that cause the invalid property update.

This issue is resolved in this release.
PR 2191342: The SMART disk monitoring daemon, smartd, might flood the syslog service logs of release builds with debugging and info messages
In release builds, the smartd daemon might generate a lot of debugging and info messages into the syslog service logs.

This issue is resolved in this release. The fix removes debug messages from release builds.
PR 2197795: The scheduler of the VMware vSphere Network I/O Control (NIOC) might intermittently reset the uplink network device
The NIOC scheduler might reset the uplink network device if the uplink is rarely used. The reset is non-predictable.

This issue is resolved in this release.
PR 2221935: ESXi hosts might intermittently fail if you disable global IPv6 addresses
ESXi hosts might intermittently fail if you disable global IPv6 addresses, because a code path still uses IPv6.

This issue is resolved in this release. If you already face the issue, re-enable the global IPv6 addresses to avoid failure of hosts. If you need to disable IPv6 addresses for some reason, you must disable IPv6 on individual vmknics, not global IPv6 addresses.
PR 2193830: Тhe virtual machine executable process might fail and shut down virtual machines during a reboot of the guest OS
Due to a race condition, the virtual machine executable process might fail and shut down virtual machines during a reboot of the guest OS.

This issue is resolved in this release.
PR 2210364: The ESXi daemon hostd might become unresponsive while waiting for an external process to finish
Hostd might become unresponsive while waiting for an external process initiated with the esxcfg-syslog command to finish.

This issue is resolved in this release.
PR 2177107: A soft lockup of physical CPUs might cause an ESXi host to fail with a purple diagnostic screen
Large number of I/Os getting timeout on a heavy-loaded system might cause a soft lockup of physical CPUs. As a result, an ESXi host might fail with a purple diagnostic screen.

This issue is resolved in this release.
PR 2179263: Virtual machines with a virtual SATA CD-ROM might fail due to invalid commands
Invalid commands to a virtual SATA CD-ROM might trigger errors and increase the memory usage of virtual machines. This might lead to a failure of virtual machines if they are unable to allocate memory. You might see the following logs for invalid commands:

YYYY-MM-DDTHH:MM:SS.mmmZ| vcpu-1| I125: AHCI-USER: Invalid size in command YYYY-MM-DDTHH:MM:SS.mmmZ| vcpu-1| I125: AHCI-VMM: sata0:0: Halted the port due to command abort.

And a similar panic message:
YYYY-MM-DDTHH:MM:SS.mmmZ| vcpu-1| E105: PANIC: Unrecoverable memory allocation failure

This issue is resolved in this release.
PR 2185906: Migration of virtual machines by using VMware vSphere vMotion might fail with a NamespaceDb compatibility error if Guest Introspection service is on
If the Guest Introspection service in a vSphere 6.7 environment with more than 150 virtual machines is active, migration of virtual machines by using vSphere vMotion might fail with an error in the vSphere Web Client similar to The source detected that the destination failed to resume.
The destination vmware.log contains error messages similar to:

2018-07-18T02:41:32.035Z| vmx| I125: MigrateSetState: Transitioning from state 11 to 12. 2018-07-18T02:41:32.035Z| vmx| I125: Migrate: Caching migration error message list: 2018-07-18T02:41:32.035Z| vmx| I125: [msg.checkpoint.migration.failedReceive] Failed to receive migration. 2018-07-18T02:41:32.035Z| vmx| I125: [msg.namespaceDb.badVersion] Incompatible version -1 (expect 2). 2018-07-18T02:41:32.035Z| vmx| I125: [msg.checkpoint.mrestoregroup.failed] An error occurred restoring the virtual machine state during migration.

The vmkernel log contains error messages such as:

2018-07-18T02:32:43.011Z cpu5:66134)WARNING: Heap: 3534: Heap fcntlHeap-1 already at its maximum size. Cannot expand. 2018-07-18T02:41:35.613Z cpu2:66134)WARNING: Heap: 4169: Heap_Align(fcntlHeap-1, 200/200 bytes, 8 align) failed. caller: 0x41800aaca9a3

This issue is resolved in this release.
PR 2204508: The advanced performance chart might stop displaying data after a hostd restart
You can edit the statistical data to be collected only when the virtual machine is in a particular power state. For example, you cannot edit the memory data when the virtual machine is powered on. When you restart the hostd service, the virtual machine might not change its power state, which leads to false data initialization. The calculation of the host consumed memory counter might end up with division by zero and the chart might stop drawing graphs.

This issue is resolved in this release.
PR 2211350: A virtual machine port might be blocked after a VMware vSphere High Availability (vSphere HA) failover
By default, the Isolation Response feature in an ESXi host with enabled vSphere HA is disabled. When the Isolation Response feature is enabled, a virtual machine port, which is connected to an NSX-T logical switch, might be blocked after a vSphere HA failover.

This issue is resolved in this release.
PR 2204204: e1000 vNICs might intermittently drop unrecognized GRE packets
e1000 vNICs might intermittently drop unrecognized GRE packets due to a parsing issue.

This issue is resolved in this release.
PR 2226565: Booting ESXi on Apple hardware might fail with an error that the Mutiboot buffer is too small
While booting an Apple system, the boot process might stop with the following error message:
Shutting down firmware services... Mutiboot buffer is too small. Unrecoverable error

The issue affects only certain Apple firmware versions.

This issue is resolved in this release.
PR 2240385: Virtual machines might fail during a long-running quiesced snapshot operation
If hostd restarts during a long-running quiesced snapshot operation, hostd might automatically run the snapshot Consolidation command to remove redundant disks and improve virtual machine performance. However, the Consolidation command might race with the running quiesced snapshot operation and cause failure of virtual machines.

This issue is resolved in this release.
PR 2163397: The SNMP agent might display D_Failed battery status
The SNMP agent might display the status of all batteries as D_Failed when you run the snmpwalk command. This issue occurs due to the processing of code, which might not check the status properly and the misinterpretation of the compact sensors with sensor-specific code.

This issue is resolved in this release.
PR 2238134: When you use an IP hash or source MAC hash teaming policy, the packets might drop or go through the wrong uplink
When you use an IP hash or source MAC hash teaming policy, some packets from the packet list might use a different uplink. As a result, some of them might drop or not be sent out through the uplink determined by the teaming policy.

This issue is resolved in this release.
PR 2213883: An ESXi host becomes unresponsive when it disconnects from an NFS datastore that is configured for logging
If an NFS datastore is configured as a syslog datastore and if the ESXi host disconnects from it, logging to the datastore stops and the ESXi host might become unresponsive.

This issue is resolved in this release.
PR 2141221: An ESXi host might fail during replication of virtual machines by using VMware vSphere Replication with VMware Site Recovery Manager
When you replicate virtual machines by using vSphere Replication with Site Recovery Manager, the ESXi host might fail with a purple diagnostic screen immediately or within 24 hours. You might see a similar error: PANIC bora/vmkernel/main/dlmalloc.c:4924 - Usage error in dlmalloc.

This issue is resolved in this release.
PR 2240444: The hostd daemon might fail with an error due to too many locks
Larger configurations might exceed the limit for the number of locks and hostd starts failing with an error similar to:
hostd Panic: MXUserAllocSerialNumber: too many locks!

This issue is resolved in this release. The fix removes the limit for the number of locks.
PR 2249713: The esxcli network plug-in command might return a false value as a result
Тhe esxcli $esxcli.network.nic.coalesce.set.Invoke network command might return a false value as a result even though the value is correctly set. This might impact your automation scripts.

This issue is resolved in this release.
PR 2184068: An ESXi host might fail with a purple diagnostic screen when accessing a corrupted VMFS datastore
When a virtual machine tries to access a VMFS datastore with corrupted directory, the ESXi host might fail with a purple diagnostic screen and the DirEntry corruption error message.

This issue is resolved in this release.
PR 2257480: The LACPPDU Actor кey value might change to 0
The LACPPDU Actor key might change its value to 0 during the link status flapping.

This issue is resolved in this release.
PR 2235031: An ESXi host becomes unresponsive and you see warnings for reached maximum heap size in the vmkernel.log
Due to a timing issue in the VMkernel, buffers might not be flushed, and the heap gets exhausted. As a result, services such as hostd, vpxa and vmsyslogd might not be able to write logs on the ESXi host, and the host becomes unresponsive. In the /var/log/vmkernel.log, you might see a similar warning:WARNING: Heap: 3571: Heap vfat already at its maximum size. Cannot expand.

This issue is resolved in this release.
PR 2257354: Some virtual machines might become invalid when trying to install or update VMware Tools
If you have modified the type of a virtual CD-ROM device of a virtual machine in a previous version of ESXi, after you update to a later version, when you try to install or update VMware Tools, the virtual machine might be terminated and marked as invalid.

This issue is resolved in this release.
PR 2212140: Renewing a host certificate might not push the full chain of trust to the ESXi host
When you renew a certificate, only the first certificate from the supplied chain of trust might be stored on the ESXi host. Any intermediate CA certificates are truncated. Because of the missing certificates, the chain to the root CA cannot be built. This leads to a warning for an untrusted connection.

This issue is resolved in this release.
PR 2279897: Creating a snapshot of a virtual machine might fail due to a null VvolId parameter
If a vSphere API for Storage Awareness provider modifies the vSphere Virtual Volumes policy unattended, a null VvolID parameter might update the vSphere Virtual Volumes metadata. This results in a VASA call with a null VvoId parameter and a failure when creating a virtual machine snapshot.

This issue is resolved in this release. The fix handles the policy modification failure and prevents the null VvolId parameter.
PR 2227623: Parallel cloning of multiple virtual machines on a vSphere Virtual Volumes datastore might fail with an error message for failed file creation
If a call from a vSphere API for Storage Awareness provider fails due to all connections to the virtual provider being busy, operations for parallel cloning of multiple virtual machines on a vSphere Virtual Volumes datastore might become unresponsive or fail with an error message similar to Cannot complete file creation operation.

This issue is resolved in this release.
PR 2277648: An ESXi host might fail with a purple diagnostic screen displaying a sbflush_internal panic message
An ESXi host might fail with a purple diagnostic screen displaying a sbflush_internal panic message due to some discrepancies in the internal statistics.

This issue is resolved in this release. The fix converts the panic message into an assert.
PR 2221778: You cannnot migrate virtual machines by using vSphere vMotion between ESXi hosts with NSX managed virtual distributed switches (N-VDS) and vSphere Standard Switches
With ESXi 6.7 Update 2, you can migrate virtual machines by using vSphere vMotion between ESXi hosts with N-VDS and vSphere Standard Switches. To enable the feature, you must upgrade your vCenter Server system to vCenter Server 6.7 Update 2 and ESXi 6.7 Update 2 on both source and destination sites.

This issue is resolved in this release.
PR 2287560: ESXi hosts might fail with a purple diagnostic screen due to a page fault exception
ESXi hosts might fail with a purple diagnostic screen due to a page fault exception. The error comes from a missing flag that could trigger cache eviction on an object that no longer exists, and result in a NULL pointer reference.

This issue is resolved in this release.
PR 2268541: You might see redundant VOB messages in the vCenter Server system, such as Lost uplink redundancy on virtual switch "xxx"
When checking the uplink status, the teaming policy might not check if the uplink belongs to a port group and the affected port group might not be correct. As a result, you might see redundant VOB messages in the /var/run/log/vobd.log file, such as:

Lost uplink redundancy on virtual switch "xxx". Physical NIC vmnicX is down. Affected portgroups:"xxx".

This issue is resolved in this release.
PR 2203837: Claim rules must be manually added to an ESXi host
You must manually add the claim rules to an ESXi host for Lenovo ThinkSystem DE Series Storage Arrays.

This issue is resolved in this release. This fix sets Storage Array Type Plugin (SATP) to VMW_SATP_ALUA, Path Selection Policy (PSP) to VMW_PSP_RR, and Claim Options to tpgs_on as default for Lenovo ThinkSystem DE Series Storage Arrays.
PR 2236531: An ESXi host might get disconnected from a vCenter Server system
The vpxa service might fail due to excessive memory usage when iterating on a large directory tree. As a result, an ESXi host might get disconnected from a vCenter Server system.

This issue is resolved in this release.
PR 2242656: Updates with ESXCLI commands might fail when SecureBoot is enabled
The commands esxcli software profile update or esxcli software profile install might fail on hosts running ESXi 6.7 Update 1 with enabled SecureBoot. You might see error messages such as Failed to setup upgrade using esx-update VIB and Failed to mount tardisk in ramdisk: [Errno 1] Operation not permitted.

This issue is resolved in this release. If you already face the issue, run the esxcli software vib update command to update your system to ESXi 6.7 Update 2. You can also disable SecureBoot, run the ESXCLI commands, and then re-enable SecureBoot.
PR 2250653: NFS volume mount might not persist after reboot of an ESXi host
NFS volume mount might not persist after a reboot of an ESXi host due to intermittent failure in resolving the host name of the NFS server.

This issue is resolved in this release. The fix adds retry logic if a host name resolution fails.
PR 2260748: You might intermittently lose connectivity while using the Route Based on Physical NIC Load option in the vSphere Distributed Switch
This issue happens if you create a VMK or vNIC port by using the Route Based on Physical NIC Load option when the physical NIC assigned to that port group is temporarily down. In such cases, the port team uplink is not set because there are no active uplinks in the portgroup. When the physical NIC becomes active again, teaming code fails to update the port data, resulting in a packet loss.

This issue is resolved in this release.
PR 2256001: Host fails with Bucketlist_LowerBound or PLOGRelogRetireLsns in the backtrace
A race condition can occur when Plog Relog runs along with DecommissionMD, causing Relog to access freed Plog device state tables. This problem can cause a host failure with a purple diagnostic screen.

This issue is resolved in this release.
PR 2266762: You might see many warnings for unsupported physical block sizes in the vmkernel logs
If you use devices with physical block size other than 4096 or 512 MB, in the vmkernel logs you might see many warnings similar to:
ScsiPath: 4395: The Physical block size "8192" reported by the path vmhba3:C0:T1:L0 is not supported.

This issue is resolved in this release. The fix converts the warnings into debug log messages.
PR 2263849: Operations on stretched cluster failed with name '_VSAN_VER3' is not defined
After configuring or upgrading a vSAN stretched cluster, all cluster level requests might fail. You might see the following error message:
name '_VSAN_VER3' is not defined.

This issue is resolved in this release.
PR 2267698: vSAN performance charts do not show VMDK metrics properly
If the virtual machine folder is created using a name instead of UUID, the vSAN performance charts do not show the following VMDK metrics properly:
- IOPS and IOPS Limit
- Delayed Normalized IOPS

This issue is resolved in this release.
PR 2271653: You might see wrong reports for dropped packets when using IOChain and the Large Receive Offload (LRO) feature is enabled
In Host > Monitor > Performance > Physical Adapters > pNIC vSwitch Port Drop Rate you might see a counter showing dropped packets, while no packets are dropped. This is because the IOChain framework treats the reduced number of packets, when using LRO, as packet drops.

This issue is resolved in this release.
PR 2232538: An ESXi host might fail while powering on a virtual machine with a name that starts with “SRIOV”
An ESXi host might fail with a purple diagnostic screen while powering on a virtual machine. This happens if the virtual machine name starts with “SRIOV” and has an uplink connected to a vSphere Distributed Switch.

This issue is resolved in this release.
PR 2210056: If SNMP disables dynamic rulesets, but they are active in a Host Profile, you might see an unexpected compliance error
In a rare race condition, when SNMP disables dynamic rulesets, but they are active in a Host Profile, you might see an unexpected compliance error such as Ruleset dynamicruleset not found.

This issue is resolved in this release.
PR 2271322: Recovery of a virtual machine running Windows 2008 or later by using vSphere Replication with application quiescing enabled might result in a corrupt replica
Recovery of a virtual machine running Windows 2008 or later by using vSphere Replication with application quiescing enabled might result in a corrupt replica. Corruption only happens when application quiescing is enabled. If VMware Tools on the virtual machine is not configured for application quiescing, vSphere Replication uses a lower level of consistency, such as file system quiescing, and replicas are not corrupted.

This issue is resolved in this release.
PR 2272737: When you perform CIM requests more than 2 MB, the SFCB configuration might fail on an ESXi host
When you perform CIM requests more than 2 MB like firmware download, CIM service might fail on an ESXi host due to out of stack space and the SFCB zdumb file appears in /var/core.

This issue is resolved in this release.
PR 2286563: The number of syslog.log archive files generated might be less than the configured default and different between ESXi versions 6.0 and 6.7
The number of syslog.log archive files generated might be one less than the default value set by using the syslog.global.defaultRotate parameter. The number of syslog.log archive files might also be different between ESXi versions 6.0 and 6.7. For instance, if syslog.global.defaultRotate is set to 8 by default, ESXi 6.0 creates syslog.0.gz to syslog.7.gz, while ESXi 6.7 creates syslog.0.gz to syslog.6.gz.

This issue is resolved in this release.
PR 2178119: A large value of the advanced config option /Misc/MCEMonitorInterval might cause ESXi hosts to become unresponsive
If you set the advanced config option /Misc/MCEMonitorInterval to a very large value, ESXi hosts might become unresponsive in around 10 days of uptime, due to a timer overflow.

This issue is resolved in this release.
PR 2223879: An ESXi host might fail with a purple diagnostic screen and an error for a possible deadlock
The P2MCache lock is a spin lock causing slow CPU performance that might cause starvation of other CPUs. As a result, an ESXi host might fail with a purple diagnostic screen and a Spin count exceeded - possible deadlock, PVSCSIDoIOComplet, NFSAsyncIOComplete error.

This issue is resolved in this release.
PR 2221256: An ESXi host might fail with a purple diagnostic screen during a Storage vMotion operation between NFS datastores
An ESXi host might fail with a purple diagnostic screen during a Storage vMotion operation between NFS datastores, due to a race condition in the request completion path. The race condition happens under heavy I/O load in the NFS stack.

This issue is resolved in this release.
PR 2258272: ESXi host with vSAN enabled fails due to race condition in decommission workflow
During disk decommission operation, a race condition in the decommission workflow might cause the ESXi host to fail with a purple diagnostic screen.

This issue is resolved in this release.
PR 2219661: An ESXi host might fail with a purple diagnostic screen if RSS is enabled on a physical NIC
An ESXi host might fail with a purple diagnostic screen if RSS is enabled on a physical NIC. You might see a similar backtrace:
yyyy-mm-dd cpu9:2097316)0x451a8521bc70:[0x41801a68ad30]RSSPlugCleanupRSSEngine@(lb_netqueue_bal)# +0x7d stack: 0x4305e4c1a8e0, 0x41801a68af2b, 0x430db8c6b188, 0x4305e4c1a8e0, 0x0yyyy-mm-dd cpu9:2097316)0x451a8521bc90:[0x41801a68af2a]RSSPlugInitRSSEngine@(lb_netqueue_bal)# +0x127 stack: 0x0, 0x20c49ba5e353f7cf, 0x4305e4c1a930, 0x4305e4c1a800, 0x4305e4c1a9f0 yyyy-mm-dd cpu9:2097316)0x451a8521bcd0:[0x41801a68b21c]RSSPlug_PreBalanceWork@(lb_netqueue_bal)# +0x1cd stack: 0x32, 0x32, 0x0, 0xe0, 0x4305e4c1a800 yyyy-mm-dd cpu9:2097316)0x451a8521bd30:[0x41801a687752]Lb_PreBalanceWork@(lb_netqueue_bal)# +0x21f stack: 0x4305e4c1a800, 0xff, 0x0, 0x43057f38ea00, 0x4305e4c1a800 yyyy-mm-dd cpu9:2097316)0x451a8521bd80:[0x418019c13b18]UplinkNetqueueBal_BalanceCB@vmkernel#nover+0x6f1 stack: 0x4305e4bc6088, 0x4305e4c1a840, 0x4305e4c1a800, 0x4305e435fb30, 0x4305e4bc6088 yyyy-mm-dd cpu9:2097316)0x451a8521bf00:[0x418019cd1c89]UplinkAsyncProcessCallsHelperCB@vmkernel#nover+0x116 stack: 0x430749e60870, 0x430196737070, 0x451a85223000, 0x418019ae832b, 0x430749e60088 yyyy-mm-dd cpu9:2097316)0x451a8521bf30:[0x418019ae832a]HelperQueueFunc@vmkernel#nover+0x157 stack: 0x430749e600b8, 0x430749e600a8, 0x430749e600e0, 0x451a85223000, 0x430749e600b8 yyyy-mm-dd cpu9:2097316)0x451a8521bfe0:[0x418019d081f2]CpuSched_StartWorld@vmkernel#nover+0x77 stack: 0x0, 0x0, 0x0, 0x0, 0x0

This issue is resolved in this release. The fix cleans data in the RSS engine to avoid overloading of the dedicated heap of the NetQueue balancer.
PR 2268826: An ESXi host might fail with a purple diagnostic screen when the VMware APIs for Storage Awareness (VASA) provider sends a rebind request to switch the protocol endpoint for a vSphere Virtual Volume
When the VASA provider sends a rebind request to an ESXi host to switch the binding for a particular vSphere Virtual Volume driver, the ESXi host might switch the protocol endpoint and other resources to change the binding without any I/O disturbance. As a result, the ESXi host might fail with a purple diagnostic screen.

This issue is resolved in this release.
PR 2224767: You might see false hardware health alarms from Intelligent Platform Management Interface (IPMI) sensors
Some IPMI sensors might intermittently change from green to red and the reverse, which creates false hardware health alarms.

This issue is resolved in this release. With this fix, you can use the advanced option command esxcfg-advcfg -s {sensor ID},{sensor ID} /UserVars/HardwareHealthIgnoredSensors to ignore hardware health alarms from selected sensors.
PR 2257590: An ESXi host might fail with a memory admission error if you install an async 32-bit iSCSI Management API (IMA) plug-in
If you install an async 32-bit IMA plug-in and there are already installed 32-bit IMA plug-ins, the system might try to load these plug-ins and check if they are loaded from the QLogic independent iSCSI adapter. During this process the ESXi host might fail with a memory admission error.

This issue is resolved in this release. This fix loads each 32-bit IMA plug-in only from the QLogic adapter.
PR 2241917: A reprotect operation might fail with an error for vSphere Replication synchronization
If you run a reprotect operation by using the Site Recovery Manager, the operation might fail if a virtual machine is late with the initial synchronization. You might see an error similar to:
VR synchronization failed for VRM group {…}. Operation timed out: 10800 seconds

This issue is resolved in this release.
PR 2246891: An I/O error TASK_SET_FULL on a secondary LUN might slow down the I/O rate on all secondary LUNs behind the protocol endpoint of Virtual Volumes on HPE 3PAR storage if I/O throttling is enabled
When I/O throttling is enabled on a protocol endpoint of Virtual Volumes on HPE 3PAR storage and if an I/O on a secondary LUN fails with an error TASK_SET_FULL, the I/O rate on all secondary LUNs that are associated with the protocol endpoint slows down.

This issue is resolved in this release. With this fix, you can enable I/O throttling on individual Virtual Volumes to avoid the slowdown of all secondary LUNs behind the protocol endpoint if the TASK_SET_FULL error occurs.
PR 2269308: ESXi hosts with visibility to RDM LUNs might take a long time to start or during LUN rescan
The large number of RDM LUNs might cause an ESXi host to take a long time to start or delay while performing a LUN rescan. If you use APIs, such as MarkPerenniallyReserved or MarkPerenniallyReservedEx, you can mark a specific LUN as perennially reserved, which improves the start and time and rescan time of the ESXi hosts.

This issue is resolved in this release.

ESXi670-201904202-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_i40en_1.3.1-23vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the i40en VIB.

ESXi670-201904203-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_igbn_0.1.1.0-4vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the igbn VIB.

ESXi670-201904204-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_ixgben_1.4.1-18vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the ixgben VIB.

ESXi670-201904205-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_ne1000_0.8.4-2vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the ne1000 VIB.

ESXi670-201904206-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_vmkusb_0.1-1vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the vmkusb VIB.

ESXi670-201904207-UG

Patch Category	Bugfix
Patch Severity	Moderate
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_qlnativefc_3.1.8.0-4vmw.670.2.48.13006603
PRs Fixed	2228529
CVE numbers	N/A

This patch updates the qlnativefc VIB.

Update to the qlnativefc driver
The qlnativefc driver is updated to version 3.1.8.0.

ESXi670-201904208-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_nfnic_4.0.0.17-0vmw.670.2.48.13006603
PRs Fixed	2231435
CVE numbers	N/A

This patch updates the nfnic VIB.

Update to the nfnic driver
The nfnic driver is updated to version 4.0.0.17.

ESXi670-201904209-UG

Patch Category	Bugfix
Patch Severity	Enhancement
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_brcmfcoe_11.4.1078.19-12vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the brcmfcoe VIB.

ESXi670-201904210-UG

Patch Category	Bugfix
Patch Severity	Enhancement
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_lpfc_11.4.33.18-12vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the lpfc VIB.

ESXi670-201904211-UG

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_elx-esx-libelxima.so_11.4.1184.1-2.48.13006603
PRs Fixed	2226688
CVE numbers	N/A

This patch updates the elx-esx-libelxima.so VIB to resolve the following issue:

PR 2226688: Emulex drivers logs might fill up the /var file system logs
Emulex drivers might write logs at /var/log/EMU/mili/mili2d.log and fill up the 40 MB /var file system logs of RAM drives.

This issue is resolved in this release. The fix changes writes of Emulex drivers to the /scratch/log/ instead of the /var/log/.

ESXi670-201904212-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_misc-drivers_6.7.0-2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the misc-drivers VIB.

ESXi670-201904213-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_lsu-lsi-lsi-msgpt3-plugin_1.0.0-9vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the lsu-lsi-lsi-msgpt3-plugin VIB.

ESXi670-201904214-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	No
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_sfvmk_1.0.0.1003-6vmw.670.2.48.13006603
PRs Fixed	2234599
CVE numbers	N/A

This patch updates the sfvmk VIB.

ESXi 6.7 Update 2 adds Solarflare native driver (sfvmk) support for Solarflare 10G and 40G network adaptor devices, such as SFN8542 and SFN8522.

ESXi670-201904215-UG

Patch Category	Bugfix
Patch Severity	Moderate
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_lsi-msgpt2_20.00.05.00-1vmw.670.2.48.13006603
PRs Fixed	2256555
CVE numbers	N/A

This patch updates the lsi-msgpt2 VIB.

Update to the lsi-msgpt2 driver
The lsi-msgpt2 driver is updated to version 20.00.05.00 to address task management enhancements and critical bug fixes.

ESXi670-201904216-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_nmlx4-core_3.17.13.1-1vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the nmlx4-core VIB.

ESXi670-201904217-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_nmlx4-en_3.17.13.1-1vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the nmlx4-en VIB.

ESXi670-201904218-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_nmlx4-rdma_3.17.13.1-1vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the nmlx4-rdma VIB.

ESXi670-201904219-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_nmlx5-core_4.17.13.1-1vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the nmlx5-core VIB.

ESXi670-201904220-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_nmlx5-rdma_4.17.13.1-1vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the nmlx5-rdma VIB.

ESXi670-201904221-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_bnxtnet_20.6.101.7-21vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the bnxtnet VIB.

ESXi670-201904222-UG

Patch Category	Bugfix
Patch Severity	Moderate
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_lsu-lsi-drivers-plugin_1.0.0-1vmw.670.2.48.13006603
PRs Fixed	2242441
CVE numbers	N/A

This patch updates the lsu-lsi-drivers-plugin VIB to resolve the following issue:

PR 2242441: You might not be able to locate and turn on the LED for disks under lsi-msgpt35 controllers
You might not be able to locate and turn on the LED for disks under a lsi-msgpt35 controller.

This issue is resolved in this release. The fix introduces a new lsu-lsi-drivers-plugin which works with lsi-msgpt35 async and inbox drivers.

ESXi670-201904223-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_nvme_1.2.2.27-1vmw.670.2.48.13006603
PRs Fixed	2270098
CVE numbers	N/A

This patch updates the nvme VIB to resolve the following issues:

PR 2270098: ESXi hosts might fail with a purple diagnostic screen when using Intel NVMe devices
If a split I/O request is cancelled in the inbox nvme driver, the command completion path might unlock the queue lock due to an incorrect check of the command type. This might cause ESXi hosts to fail with a purple diagnostic screen.

This issue is resolved in this release.
PR 2270098: You cannot see NVMe devices with doorbell stride different from 0h in ESXi hosts
VMware inbox nvme driver supports only doorbell stride with value 0h and you cannot use any other value or see NVMe devices with doorbell stride different from 0h.

This issue is resolved in this release.

ESXi670-201904224-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	No
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_vmware-esx-esxcli-nvme-plugin_1.2.0.36-2.48.13006603
PRs Fixed	2270098
CVE numbers	N/A

This patch updates the vmware-esx-esxcli-nvme-plugin VIB to resolve the following issue:

PR 2270098: You might see incorrect NVMe device information by running the esxcfg-scsidevs –a command
For some Dell-branded NVMe devices, and for Marvell NR2241, you might see incorrect NVMe device information by running the esxcfg-scsidevs –a command or looking at the interface.

This issue is resolved in this release.

ESXi670-201904225-UG

Patch Category	Bugfix
Patch Severity	Enhancement
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_lsi-mr3_7.708.07.00-2vmw.670.2.48.13006603
PRs Fixed	2272901
CVE numbers	N/A

This patch updates the lsi-mr3 VIB.

Upgrade to the Broadcom lsi-mr3 driver
The Broadcom lsi-mr3 driver is upgraded to version MR 7.8.

ESXi670-201904226-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_lsi-msgpt35_09.00.00.00-1vmw.670.2.48.13006603
PRs Fixed	2275290
CVE numbers	N/A

This patch updates the lsi-msgpt35 VIB.

Update to the lsi-msgpt35 driver
The lsi-msgpt35 driver is updated to version 09.00.00.00-1vmw.

ESXi670-201904227-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_lsi-msgpt3_17.00.01.00-3vmw.670.2.48.13006603
PRs Fixed	2275290
CVE numbers	N/A

This patch updates the lsi-msgpt3 VIB.

Update to the lsi-msgpt3 driver
The lsi-msgpt3 driver is updated to version 17.00.01.00-3vmw.

ESXi670-201904228-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMW_bootbank_net-vmxnet3_1.1.3.0-3vmw.670.2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the net-vmxnet3 VIB.

ESXi670-201904229-UG

Patch Category	Bugfix
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_native-misc-drivers_6.7.0-2.48.13006603
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the native-misc-drivers VIB.

ESXi670-201904101-SG

Patch Category	Security
Patch Severity	Important
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_vsan_6.7.0-1.44.11399678 VMware_bootbank_esx-update_6.7.0-1.44.12986307 VMware_bootbank_esx-base_6.7.0-1.44.12986307 VMware_bootbank_vsanhealth_6.7.0-1.44.11399680
PRs Fixed	2228005, 2301046, 2232983, 2222019, 2224776, 2260077
CVE numbers	CVE-2019-5516, CVE-2019-5517, CVE-2019-5520

This patch updates the esx-base, vsan, and vsanhealth VIBs to resolve the following issues:

PR 2224776: ESXi hosts might become unresponsive if the sfcbd service fails to process all forked processes
You might see many error messages such as Heap globalCartel-1 already at its maximum size. Cannot expand. in the vmkernel.log, because the sfcbd service fails to process all forked processes. As a result, the ESXi host might become unresponsive and some operations might fail.

This issue is resolved in this release.
Update to the Network Time Protocol (NTP) daemon
The NTP daemon is updated to version ntp-4.2.8p12.
Update to the libxml2 library
The ESXi userworld libxml2 library is updated to version 2.9.8.
Update to the Python library
The Python third party library is updated to version 3.5.6.
Update to the OpenSSH
The OpenSSH is updated to version 7.9 to resolve security issue with identifier CVE-2018-15473.
Update to OpenSSL
The OpenSSL package is updated to version openssl-1.0.2r.
ESXi updates address an out-of-bounds vulnerability with the vertex shader functionality. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5516 to this issue. See VMSA-2019-0006 for further information.
ESXi contains multiple out-of-bounds read vulnerabilities in the shader translator. Exploitation of these issues requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of these issues may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for these issues involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5517 to these issues. See VMSA-2019-0006 for further information.
ESXi updates address an out-of-bounds read vulnerability. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure. The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5520 to this issue. See VMSA-2019-0006 for further information.

ESXi670-201904102-SG

Patch Category	Security
Patch Severity	Important
Host Reboot Required	No
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_locker_tools-light_10.3.5.10430147-12986307
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the tools-light VIB.

ESXi670-201904103-SG

Patch Category	Security
Patch Severity	Important
Host Reboot Required	No
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
VIBs Included	VMware_bootbank_esx-ui_1.33.3-12923304
PRs Fixed	N/A
CVE numbers	N/A

This patch updates the esx-ui VIB.

ESXi-6.7.0-20190402001-standard

Profile Name	ESXi-6.7.0-20190402001-standard
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	April 11, 2019
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_vsanhealth_6.7.0-2.48.12775454 VMware_bootbank_vsan_6.7.0-2.48.12775451 VMware_bootbank_esx-base_6.7.0-2.48.13006603 VMware_bootbank_esx-update_6.7.0-2.48.13006603 VMW_bootbank_i40en_1.3.1-23vmw.670.2.48.13006603 VMW_bootbank_igbn_0.1.1.0-4vmw.670.2.48.13006603 VMW_bootbank_ixgben_1.4.1-18vmw.670.2.48.13006603 VMW_bootbank_ne1000_0.8.4-2vmw.670.2.48.13006603 VMW_bootbank_vmkusb_0.1-1vmw.670.2.48.13006603 VMware_bootbank_qlnativefc_3.1.8.0-4vmw.670.2.48.13006603 VMW_bootbank_nfnic_4.0.0.17-0vmw.670.2.48.13006603 VMW_bootbank_brcmfcoe_11.4.1078.19-12vmw.670.2.48.13006603 VMW_bootbank_lpfc_11.4.33.18-12vmw.670.2.48.13006603 VMware_bootbank_elx-esx-libelxima.so_11.4.1184.1-2.48.13006603 VMW_bootbank_misc-drivers_6.7.0-2.48.13006603 VMware_bootbank_lsu-lsi-lsi-msgpt3-plugin_1.0.0-9vmw.670.2.48.13006603 VMW_bootbank_sfvmk_1.0.0.1003-6vmw.670.2.48.13006603 VMW_bootbank_lsi-msgpt2_20.00.05.00-1vmw.670.2.48.13006603 VMW_bootbank_nmlx4-core_3.17.13.1-1vmw.670.2.48.13006603 VMW_bootbank_nmlx4-en_3.17.13.1-1vmw.670.2.48.13006603 VMW_bootbank_nmlx4-rdma_3.17.13.1-1vmw.670.2.48.13006603 VMW_bootbank_nmlx5-core_4.17.13.1-1vmw.670.2.48.13006603 VMW_bootbank_nmlx5-rdma_4.17.13.1-1vmw.670.2.48.13006603 VMW_bootbank_bnxtnet_20.6.101.7-21vmw.670.2.48.13006603 VMware_bootbank_lsu-lsi-drivers-plugin_1.0.0-1vmw.670.2.48.13006603 VMW_bootbank_nvme_1.2.2.27-1vmw.670.2.48.13006603 VMware_bootbank_vmware-esx-esxcli-nvme-plugin_1.2.0.36-2.48.13006603 VMW_bootbank_lsi-mr3_7.708.07.00-2vmw.670.2.48.13006603 VMW_bootbank_lsi-msgpt35_09.00.00.00-1vmw.670.2.48.13006603 VMW_bootbank_lsi-msgpt3_17.00.01.00-3vmw.670.2.48.13006603 VMW_bootbank_net-vmxnet3_1.1.3.0-3vmw.670.2.48.13006603 VMware_bootbank_native-misc-drivers_6.7.0-2.48.13006603 VMware_locker_tools-light_10.3.5.10430147-12986307 VMware_bootbank_esx-ui_1.33.3-12923304
PRs Fixed	2227123, 2250472, 2273186, 2282052, 2267506, 2256771, 2269616, 2250697, 2193516, 2203431, 2264996, 2267158, 2231707, 2191342, 2197795, 2221935, 2193830, 2210364, 2177107, 2179263, 2185906, 2204508, 2211350, 2204204, 2226565, 2240385, 2163397, 2238134, 2213883, 2141221, 2240444, 2249713, 2184068, 2257480, 2235031, 2257354, 2212140, 2279897, 2227623, 2277648, 2221778, 2287560, 2268541, 2203837, 2236531, 2242656, 2250653, 2260748, 2256001, 2266762, 2263849, 2267698, 2271653, 2232538, 2210056, 2271322, 2272737, 2286563, 2178119, 2223879, 2221256, 2258272, 2219661, 2268826, 2224767, 2257590, 2241917, 2246891, 2228529, 2231435, 2226688, 2234599, 2256555, 2242441, 2270098, 2272901, 2275290
Related CVE numbers	N/A

This patch updates the following issues:
- You might intermittently see alarms for very large values of counters for read or write disk latency, such as datastore.totalReadLatency and datastore.totalWriteLatency.
- When a Linux virtual machine is configured with specific memory size, such as 2052 MB or 2060 MB, instead of powering on, it might display a blank screen.
- When you set up the network and enable vSphere Distributed Switch health check to perform configuration checks, the ESXi host might fail with purple diagnostic screen.
- The SNMP agent might deliver an incorrect trap vmwVmPoweredOn when a virtual machine is selected under the Summary tab and the Snapshot Manager tab in the vSphere Web Client.
- The DVFilter might receive unexpected or corrupt values in the shared memory ring buffer, causing the internal function to return NULL. If this NULL value is not handled gracefully, an ESXi host might fail with purple diagnostic screen at DVFilter level.
- In the Events tab of the vSphere Client or the vSphere Web Client, when you power on or off virtual machines, you might see events similar to Network connectivity restored on virtual switch XXX, portgroups: XXX. Physical NIC vmnicX is up. When checking uplink status, the system report might include port groups that are not affected by the virtual machine powering on or off operation, which triggers the event. However, the event does not indicate a problem or prompt an action.
- If during the Windows Server Failover Cluster setup you change the default path policy from Fixed or Most Recently Used to Round Robin, the I/O of the cluster might fail and the cluster might stop responding.
- In release builds, the smartd daemon might generate a lot of debugging and info messages into the syslog service logs.
- The NIOC scheduler might reset the uplink network device if the uplink is rarely used. The reset is non-predictable.
- ESXi hosts might intermittently fail if you disable global IPv6 addresses, because a code path still uses IPv6.
- Due to a race condition, the virtual machine executable process might fail and shut down virtual machines during a reboot of the guest OS.
- Hostd might become unresponsive while waiting for an external process initiated with the esxcfg-syslog command to finish.
- Large number of I/Os getting timeout on a heavy-loaded system might cause a soft lockup of physical CPUs. As a result, an ESXi host might fail with a purple diagnostic screen.
- Invalid commands to a virtual SATA CD-ROM might trigger errors and increase the memory usage of virtual machines. This might lead to a failure of virtual machines if they are unable to allocate memory. You might see the following logs for invalid commands:
  
  YYYY-MM-DDTHH:MM:SS.mmmZ| vcpu-1| I125: AHCI-USER: Invalid size in command YYYY-MM-DDTHH:MM:SS.mmmZ| vcpu-1| I125: AHCI-VMM: sata0:0: Halted the port due to command abort.
  
  And a similar panic message:
  YYYY-MM-DDTHH:MM:SS.mmmZ| vcpu-1| E105: PANIC: Unrecoverable memory allocation failure
- If the Guest Introspection service in a vSphere 6.7 environment with more than 150 virtual machines is active, migration of virtual machines by using vSphere vMotion might fail with an error in the vSphere Web Client similar to The source detected that the destination failed to resume.
  The destination vmware.log contains error messages similar to:
  
  2018-07-18T02:41:32.035Z| vmx| I125: MigrateSetState: Transitioning from state 11 to 12. 2018-07-18T02:41:32.035Z| vmx| I125: Migrate: Caching migration error message list: 2018-07-18T02:41:32.035Z| vmx| I125: [msg.checkpoint.migration.failedReceive] Failed to receive migration. 2018-07-18T02:41:32.035Z| vmx| I125: [msg.namespaceDb.badVersion] Incompatible version -1 (expect 2). 2018-07-18T02:41:32.035Z| vmx| I125: [msg.checkpoint.mrestoregroup.failed] An error occurred restoring the virtual machine state during migration.
  
  The vmkernel log contains error messages such as:
  
  2018-07-18T02:32:43.011Z cpu5:66134)WARNING: Heap: 3534: Heap fcntlHeap-1 already at its maximum size. Cannot expand. 2018-07-18T02:41:35.613Z cpu2:66134)WARNING: Heap: 4169: Heap_Align(fcntlHeap-1, 200/200 bytes, 8 align) failed. caller: 0x41800aaca9a3
- You can edit the statistical data to be collected only when the virtual machine is in a particular power state. For example, you cannot edit the memory data when the virtual machine is powered on. When you restart the hostd service, the virtual machine might not change its power state, which leads to false data initialization. The calculation of the host consumed memory counter might end up with division by zero and the chart might stop drawing graphs.
- By default, the Isolation Response feature in an ESXi host with enabled vSphere HA is disabled. When the Isolation Response feature is enabled, a virtual machine port, which is connected to an NSX-T logical switch, might be blocked after a vSphere HA failover.
- e1000 vNICs might intermittently drop unrecognized GRE packets due to a parsing issue.
- While booting an Apple system, the boot process might stop with the following error message:
  Shutting down firmware services... Mutiboot buffer is too small. Unrecoverable error
  
  The issue affects only certain Apple firmware versions.
- If hostd restarts during a long-running quiesced snapshot operation, hostd might automatically run the snapshot Consolidation command to remove redundant disks and improve virtual machine performance. However, the Consolidation command might race with the running quiesced snapshot operation and cause failure of virtual machines.
- The SNMP agent might display the status of all batteries as D_Failed when you run the snmpwalk command. This issue occurs due to the processing of code, which might not check the status properly and the misinterpretation of the compact sensors with sensor-specific code.
- When you use an IP hash or source MAC hash teaming policy, some packets from the packet list might use a different uplink. As a result, some of them might drop or not be sent out through the uplink determined by the teaming policy.
- If an NFS datastore is configured as a syslog datastore and if the ESXi host disconnects from it, logging to the datastore stops and the ESXi host might become unresponsive.
- When you replicate virtual machines by using vSphere Replication with Site Recovery Manager, the ESXi host might fail with a purple diagnostic screen immediately or within 24 hours. You might see a similar error: PANIC bora/vmkernel/main/dlmalloc.c:4924 - Usage error in dlmalloc.
- Larger configurations might exceed the limit for the number of locks and hostd starts failing with an error similar to:
  hostd Panic: MXUserAllocSerialNumber: too many locks!
- Тhe esxcli $esxcli.network.nic.coalesce.set.Invoke network command might return a false value as a result even though the value is correctly set. This might impact your automation scripts.
- When a virtual machine tries to access a VMFS datastore with corrupted directory, the ESXi host might fail with a purple diagnostic screen and the DirEntry corruption error message.
- The LACPPDU Actor key might change its value to 0 during the link status flapping.
- Due to a timing issue in the VMkernel, buffers might not be flushed, and the heap gets exhausted. As a result, services such as hostd, vpxa and vmsyslogd might not be able to write logs on the ESXi host, and the host becomes unresponsive. In the /var/log/vmkernel.log, you might see a similar warning:WARNING: Heap: 3571: Heap vfat already at its maximum size. Cannot expand.
- If you have modified the type of a virtual CD-ROM device of a virtual machine in a previous version of ESXi, after you update to a later version, when you try to install or update VMware Tools, the virtual machine might be terminated and marked as invalid.
- When you renew a certificate, only the first certificate from the supplied chain of trust might be stored on the ESXi host. Any intermediate CA certificates are truncated. Because of the missing certificates, the chain to the root CA cannot be built. This leads to a warning for an untrusted connection.
- If a vSphere API for Storage Awareness provider modifies the vSphere Virtual Volumes policy unattended, a null VvolID parameter might update the vSphere Virtual Volumes metadata. This results in a VASA call with a null VvoId parameter and a failure when creating a virtual machine snapshot.
- If a call from a vSphere API for Storage Awareness provider fails due to all connections to the virtual provider being busy, operations for parallel cloning of multiple virtual machines on a vSphere Virtual Volumes datastore might become unresponsive or fail with an error message similar to Cannot complete file creation operation.
- An ESXi host might fail with a purple diagnostic screen displaying a sbflush_internal panic message due to some discrepancies in the internal statistics.
- With ESXi 6.7 Update 2, you can migrate virtual machines by using vSphere vMotion between ESXi hosts with N-VDS and vSphere Standard Switches. To enable the feature, you must upgrade your vCenter Server system to vCenter Server 6.7 Update 2 and ESXi 6.7 Update 2 on both source and destination sites.
- ESXi hosts might fail with a purple diagnostic screen due to a page fault exception. The error comes from a missing flag that could trigger cache eviction on an object that no longer exists, and result in a NULL pointer reference.
- When checking the uplink status, the teaming policy might not check if the uplink belongs to a port group and the affected port group might not be correct. As a result, you might see redundant VOB messages in the /var/run/log/vobd.log file, such as:
  
  Lost uplink redundancy on virtual switch "xxx". Physical NIC vmnicX is down. Affected portgroups:"xxx".
- You must manually add the claim rules to an ESXi host for Lenovo ThinkSystem DE Series Storage Arrays.
- The vpxa service might fail due to excessive memory usage when iterating on a large directory tree. As a result, an ESXi host might get disconnected from a vCenter Server system.
- The commands esxcli software profile update or esxcli software profile install might fail on hosts running ESXi 6.7 Update 1 with enabled SecureBoot. You might see error messages such as Failed to setup upgrade using esx-update VIB and Failed to mount tardisk in ramdisk: [Errno 1] Operation not permitted.
- NFS volume mount might not persist after a reboot of an ESXi host due to intermittent failure in resolving the host name of the NFS server.
- This issue happens if you create a VMK or vNIC port by using the Route Based on Physical NIC Load option when the physical NIC assigned to that port group is temporarily down. In such cases, the port team uplink is not set because there are no active uplinks in the portgroup. When the physical NIC becomes active again, teaming code fails to update the port data, resulting in a packet loss.
- A race condition can occur when Plog Relog runs along with DecommissionMD, causing Relog to access freed Plog device state tables. This problem can cause a host failure with a purple diagnostic screen.
- If you use devices with physical block size other than 4096 or 512 MB, in the vmkernel logs you might see many warnings similar to:
  ScsiPath: 4395: The Physical block size "8192" reported by the path vmhba3:C0:T1:L0 is not supported.
- After configuring or upgrading a vSAN stretched cluster, all cluster level requests might fail. You might see the following error message:
  name '_VSAN_VER3' is not defined.
- If the virtual machine folder is created using a name instead of UUID, the vSAN performance charts do not show the following VMDK metrics properly:
  - IOPS and IOPS Limit
  - Delayed Normalized IOPS
- In Host > Monitor > Performance > Physical Adapters > pNIC vSwitch Port Drop Rate you might see a counter showing dropped packets, while no packets are dropped. This is because the IOChain framework treats the reduced number of packets, when using LRO, as packet drops.
- An ESXi host might fail with a purple diagnostic screen while powering on a virtual machine. This happens if the virtual machine name starts with “SRIOV” and has an uplink connected to a vSphere Distributed Switch.
- In a rare race condition, when SNMP disables dynamic rulesets, but they are active in a Host Profile, you might see an unexpected compliance error such as Ruleset dynamicruleset not found.
- Recovery of a virtual machine running Windows 2008 or later by using vSphere Replication with application quiescing enabled might result in a corrupt replica. Corruption only happens when application quiescing is enabled. If VMware Tools on the virtual machine is not configured for application quiescing, vSphere Replication uses a lower level of consistency, such as file system quiescing, and replicas are not corrupted.
- When you perform CIM requests more than 2 MB like firmware download, CIM service might fail on an ESXi host due to out of stack space and the SFCB zdumbfile appears in /var/core.
- The number of syslog.log archive files generated might be one less than the default value set by using the syslog.global.defaultRotate parameter. The number of syslog.log archive files might also be different between ESXi versions 6.0 and 6.7. For instance, if syslog.global.defaultRotate is set to 8 by default, ESXi 6.0 creates syslog.0.gz to syslog.7.gz, while ESXi 6.7 creates syslog.0.gz to syslog.6.gz.
- If you set the advanced config option /Misc/MCEMonitorInterval to a very large value, ESXi hosts might become unresponsive in around 10 days of uptime, due to a timer overflow.
- The P2MCache lock is a spin lock causing slow CPU performance that might cause starvation of other CPUs. As a result, an ESXi host might fail with a purple diagnostic screen and a Spin count exceeded - possible deadlock, PVSCSIDoIOComplet, NFSAsyncIOComplete error.
- An ESXi host might fail with a purple diagnostic screen during a Storage vMotion operation between NFS datastores, due to a race condition in the request completion path. The race condition happens under heavy I/O load in the NFS stack.
- During disk decommission operation, a race condition in the decommission workflow might cause the ESXi host to fail with a purple diagnostic screen.
- An ESXi host might fail with a purple diagnostic screen if RSS is enabled on a physical NIC. You might see a similar backtrace:
  yyyy-mm-dd cpu9:2097316)0x451a8521bc70:[0x41801a68ad30]RSSPlugCleanupRSSEngine@(lb_netqueue_bal)#+0x7d stack: 0x4305e4c1a8e0, 0x41801a68af2b, 0x430db8c6b188, 0x4305e4c1a8e0, 0x0yyyy-mm-dd cpu9:2097316)0x451a8521bc90:[0x41801a68af2a]RSSPlugInitRSSEngine@(lb_netqueue_bal)#+0x127 stack: 0x0, 0x20c49ba5e353f7cf, 0x4305e4c1a930, 0x4305e4c1a800, 0x4305e4c1a9f0 yyyy-mm-dd cpu9:2097316)0x451a8521bcd0:[0x41801a68b21c]RSSPlug_PreBalanceWork@(lb_netqueue_bal)#+0x1cd stack: 0x32, 0x32, 0x0, 0xe0, 0x4305e4c1a800 yyyy-mm-dd cpu9:2097316)0x451a8521bd30:[0x41801a687752]Lb_PreBalanceWork@(lb_netqueue_bal)#+0x21f stack: 0x4305e4c1a800, 0xff, 0x0, 0x43057f38ea00, 0x4305e4c1a800 yyyy-mm-dd cpu9:2097316)0x451a8521bd80:[0x418019c13b18]UplinkNetqueueBal_BalanceCB@vmkernel#nover+0x6f1 stack: 0x4305e4bc6088, 0x4305e4c1a840, 0x4305e4c1a800, 0x4305e435fb30, 0x4305e4bc6088 yyyy-mm-dd cpu9:2097316)0x451a8521bf00:[0x418019cd1c89]UplinkAsyncProcessCallsHelperCB@vmkernel#nover+0x116 stack: 0x430749e60870, 0x430196737070, 0x451a85223000, 0x418019ae832b, 0x430749e60088 yyyy-mm-dd cpu9:2097316)0x451a8521bf30:[0x418019ae832a]HelperQueueFunc@vmkernel#nover+0x157 stack: 0x430749e600b8, 0x430749e600a8, 0x430749e600e0, 0x451a85223000, 0x430749e600b8 yyyy-mm-dd cpu9:2097316)0x451a8521bfe0:[0x418019d081f2]CpuSched_StartWorld@vmkernel#nover+0x77 stack: 0x0, 0x0, 0x0, 0x0, 0x0
- When the VASA provider sends a rebind request to an ESXi host to switch the binding for a particular vSphere Virtual Volume driver, the ESXi host might switch the protocol endpoint and other resources to change the binding without any I/O disturbance. As a result, the ESXi host might fail with a purple diagnostic screen.
- Some IPMI sensors might intermittently change from green to red and the reverse, which creates false hardware health alarms.
- If you install an async 32-bit IMA plug-in and there are already installed 32-bit IMA plug-ins, the system might try to load these plug-ins and check if they are loaded from the QLogic independent iSCSI adapter. During this process the ESXi host might fail with a memory admission error.
- If you run a reprotect operation by using the Site Recovery Manager, the operation might fail if a virtual machine is late with the initial synchronization. You might see an error similar to:
  VR synchronization failed for VRM group {…}. Operation timed out: 10800 seconds
- When I/O throttling is enabled on a protocol endpoint of Virtual Volumes on HPE 3PAR storage and if an I/O on a secondary LUN fails with an error TASK_SET_FULL, the I/O rate on all secondary LUNs that are associated with the protocol endpoint slows down.
- The qlnativefc driver is updated to version 3.1.8.0.
- The nfnic driver is updated to version 4.0.0.17.
- Emulex drivers might write logs at /var/log/EMU/mili/mili2d.log and fill up the 40 MB /var file system logs of RAM drives.
- ESXi 6.7 Update 2 adds Solarflare native driver (sfvmk) support for Solarflare 10G and 40G network adaptor devices, such as SFN8542 and SFN8522.
- The lsi-msgpt2 driver is updated to version 20.00.05.00 to address task management enhancements and critical bug fixes.
- You might not be able to locate and turn on the LED for disks under a lsi-msgpt35 controller.
- If a split I/O request is cancelled in the inbox nvme driver, the command completion path might unlock the queue lock due to an incorrect check of the command type. This might cause ESXi hosts to fail with a purple diagnostic screen.
- VMware inbox nvme driver supports only doorbell stride with value 0h and you cannot use any other value or see NVMe devices with doorbell stride different from 0h.
- For some Dell-branded NVMe devices, and for Marvell NR2241, you might see incorrect NVMe device information by running the esxcfg-scsidevs –a command or looking at the interface.
- The Broadcom lsi-mr3 driver is upgraded to version MR 7.8.
- The lsi-msgpt35 driver is updated to version 09.00.00.00-1vmw.
- The lsi-msgpt3 driver is updated to version 17.00.01.00-3vmw.
- If you extract a Host Profile from an ESXi host with disabled IPv6 support, and the IPv4 default gateway is overridden while remediating that Host Profile, you might see a message that a virtual network adapter, such as DSwitch0, is to be created on the vSphere Distributed Switch (VDS), but the adapter is actually removed from the VDS. This is due to a "::" value of the ipV6DefaultGateway parameter.
- Some guest virtual machines might report their identity as an empty string if the guest is running a later version of VMware Tools than the ESXi host was released with, or if the host cannot recognize the guestID parameter of the GuestInfo object. The issue affects mainly virtual machines with CentOS and VMware Photon OS.
- You might see repetitive messages in the vCenter Web Client, similar to Delete host sub specification nsx if you use network booting for ESXi hosts, due to some dummy code in hostd.
- The installation of the VMware Tools unmounts the ISO image file that ends with autoinst.iso, if it is already mounted to the virtual machine. To mount the VMware Tools ISO image file, you must click Install VMware Tools again. As a result, the virtual machine might stop responding.
- ESXi hosts might lose connectivity to the vCenter Sever system due to failure of the vpxa agent service in result of an invalid property update generated by the PropertyCollector object. A race condition in hostd leads to a malformed sequence of property update notification events that cause the invalid property update.

ESXi-6.7.0-20190402001-no-tools

Profile Name	ESXi-6.7.0-20190402001-no-tools
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	April 11, 2019
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_vsanhealth_6.7.0-2.48.12775454 VMware_bootbank_vsan_6.7.0-2.48.12775451 VMware_bootbank_esx-base_6.7.0-2.48.13006603 VMware_bootbank_esx-update_6.7.0-2.48.13006603 VMW_bootbank_i40en_1.3.1-23vmw.670.2.48.13006603 VMW_bootbank_igbn_0.1.1.0-4vmw.670.2.48.13006603 VMW_bootbank_ixgben_1.4.1-18vmw.670.2.48.13006603 VMW_bootbank_ne1000_0.8.4-2vmw.670.2.48.13006603 VMW_bootbank_vmkusb_0.1-1vmw.670.2.48.13006603 VMware_bootbank_qlnativefc_3.1.8.0-4vmw.670.2.48.13006603 VMW_bootbank_nfnic_4.0.0.17-0vmw.670.2.48.13006603 VMW_bootbank_brcmfcoe_11.4.1078.19-12vmw.670.2.48.13006603 VMW_bootbank_lpfc_11.4.33.18-12vmw.670.2.48.13006603 VMware_bootbank_elx-esx-libelxima.so_11.4.1184.1-2.48.13006603 VMW_bootbank_misc-drivers_6.7.0-2.48.13006603 VMware_bootbank_lsu-lsi-lsi-msgpt3-plugin_1.0.0-9vmw.670.2.48.13006603 VMW_bootbank_sfvmk_1.0.0.1003-6vmw.670.2.48.13006603 VMW_bootbank_lsi-msgpt2_20.00.05.00-1vmw.670.2.48.13006603 VMW_bootbank_nmlx4-core_3.17.13.1-1vmw.670.2.48.13006603 VMW_bootbank_nmlx4-en_3.17.13.1-1vmw.670.2.48.13006603 VMW_bootbank_nmlx4-rdma_3.17.13.1-1vmw.670.2.48.13006603 VMW_bootbank_nmlx5-core_4.17.13.1-1vmw.670.2.48.13006603 VMW_bootbank_nmlx5-rdma_4.17.13.1-1vmw.670.2.48.13006603 VMW_bootbank_bnxtnet_20.6.101.7-21vmw.670.2.48.13006603 VMware_bootbank_lsu-lsi-drivers-plugin_1.0.0-1vmw.670.2.48.13006603 VMW_bootbank_nvme_1.2.2.27-1vmw.670.2.48.13006603 VMware_bootbank_vmware-esx-esxcli-nvme-plugin_1.2.0.36-2.48.13006603 VMW_bootbank_lsi-mr3_7.708.07.00-2vmw.670.2.48.13006603 VMW_bootbank_lsi-msgpt35_09.00.00.00-1vmw.670.2.48.13006603 VMW_bootbank_lsi-msgpt3_17.00.01.00-3vmw.670.2.48.13006603 VMW_bootbank_net-vmxnet3_1.1.3.0-3vmw.670.2.48.13006603 VMware_bootbank_native-misc-drivers_6.7.0-2.48.13006603 VMware_locker_tools-light_10.3.5.10430147-12986307 VMware_bootbank_esx-ui_1.33.3-12923304
PRs Fixed	2227123, 2250472, 2273186, 2282052, 2267506, 2256771, 2269616, 2250697, 2193516, 2203431, 2264996, 2267158, 2231707, 2191342, 2197795, 2221935, 2193830, 2210364, 2177107, 2179263, 2185906, 2204508, 2211350, 2204204, 2226565, 2240385, 2163397, 2238134, 2213883, 2141221, 2240444, 2249713, 2184068, 2257480, 2235031, 2257354, 2212140, 2279897, 2227623, 2277648, 2221778, 2287560, 2268541, 2203837, 2236531, 2242656, 2250653, 2260748, 2256001, 2266762, 2263849, 2267698, 2271653, 2232538, 2210056, 2271322, 2272737, 2286563, 2178119, 2223879, 2221256, 2258272, 2219661, 2268826, 2224767, 2257590, 2241917, 2246891, 2228529, 2231435, 2226688, 2234599, 2256555, 2242441, 2270098, 2272901, 2275290
Related CVE numbers	N/A

This patch updates the following issues:
- You might intermittently see alarms for very large values of counters for read or write disk latency, such as datastore.totalReadLatency and datastore.totalWriteLatency.
- When a Linux virtual machine is configured with specific memory size, such as 2052 MB or 2060 MB, instead of powering on, it might display a blank screen.
- When you set up the network and enable vSphere Distributed Switch health check to perform configuration checks, the ESXi host might fail with purple diagnostic screen.
- The SNMP agent might deliver an incorrect trap vmwVmPoweredOn when a virtual machine is selected under the Summary tab and the Snapshot Manager tab in the vSphere Web Client.
- The DVFilter might receive unexpected or corrupt values in the shared memory ring buffer, causing the internal function to return NULL. If this NULL value is not handled gracefully, an ESXi host might fail with purple diagnostic screen at DVFilter level.
- In the Events tab of the vSphere Client or the vSphere Web Client, when you power on or off virtual machines, you might see events similar to Network connectivity restored on virtual switch XXX, portgroups: XXX. Physical NIC vmnicX is up. When checking uplink status, the system report might include port groups that are not affected by the virtual machine powering on or off operation, which triggers the event. However, the event does not indicate a problem or prompt an action.
- If during the Windows Server Failover Cluster setup you change the default path policy from Fixed or Most Recently Used to Round Robin, the I/O of the cluster might fail and the cluster might stop responding.
- In release builds, the smartd daemon might generate a lot of debugging and info messages into the syslog service logs.
- The NIOC scheduler might reset the uplink network device if the uplink is rarely used. The reset is non-predictable.
- ESXi hosts might intermittently fail if you disable global IPv6 addresses, because a code path still uses IPv6.
- Due to a race condition, the virtual machine executable process might fail and shut down virtual machines during a reboot of the guest OS.
- Hostd might become unresponsive while waiting for an external process initiated with the esxcfg-syslog command to finish.
- Large number of I/Os getting timeout on a heavy-loaded system might cause a soft lockup of physical CPUs. As a result, an ESXi host might fail with a purple diagnostic screen.
- Invalid commands to a virtual SATA CD-ROM might trigger errors and increase the memory usage of virtual machines. This might lead to a failure of virtual machines if they are unable to allocate memory. You might see the following logs for invalid commands:
  
  YYYY-MM-DDTHH:MM:SS.mmmZ| vcpu-1| I125: AHCI-USER: Invalid size in command YYYY-MM-DDTHH:MM:SS.mmmZ| vcpu-1| I125: AHCI-VMM: sata0:0: Halted the port due to command abort.
  
  And a similar panic message:
  YYYY-MM-DDTHH:MM:SS.mmmZ| vcpu-1| E105: PANIC: Unrecoverable memory allocation failure
- If the Guest Introspection service in a vSphere 6.7 environment with more than 150 virtual machines is active, migration of virtual machines by using vSphere vMotion might fail with an error in the vSphere Web Client similar to The source detected that the destination failed to resume.
  The destination vmware.log contains error messages similar to:
  
  2018-07-18T02:41:32.035Z| vmx| I125: MigrateSetState: Transitioning from state 11 to 12. 2018-07-18T02:41:32.035Z| vmx| I125: Migrate: Caching migration error message list: 2018-07-18T02:41:32.035Z| vmx| I125: [msg.checkpoint.migration.failedReceive] Failed to receive migration. 2018-07-18T02:41:32.035Z| vmx| I125: [msg.namespaceDb.badVersion] Incompatible version -1 (expect 2). 2018-07-18T02:41:32.035Z| vmx| I125: [msg.checkpoint.mrestoregroup.failed] An error occurred restoring the virtual machine state during migration.
  
  The vmkernel log contains error messages such as:
  
  2018-07-18T02:32:43.011Z cpu5:66134)WARNING: Heap: 3534: Heap fcntlHeap-1 already at its maximum size. Cannot expand. 2018-07-18T02:41:35.613Z cpu2:66134)WARNING: Heap: 4169: Heap_Align(fcntlHeap-1, 200/200 bytes, 8 align) failed. caller: 0x41800aaca9a3
- You can edit the statistical data to be collected only when the virtual machine is in a particular power state. For example, you cannot edit the memory data when the virtual machine is powered on. When you restart the hostd service, the virtual machine might not change its power state, which leads to false data initialization. The calculation of the host consumed memory counter might end up with division by zero and the chart might stop drawing graphs.
- By default, the Isolation Response feature in an ESXi host with enabled vSphere HA is disabled. When the Isolation Response feature is enabled, a virtual machine port, which is connected to an NSX-T logical switch, might be blocked after a vSphere HA failover.
- e1000 vNICs might intermittently drop unrecognized GRE packets due to a parsing issue.
- While booting an Apple system, the boot process might stop with the following error message:
  Shutting down firmware services... Mutiboot buffer is too small. Unrecoverable error
  
  The issue affects only certain Apple firmware versions.
- If hostd restarts during a long-running quiesced snapshot operation, hostd might automatically run the snapshot Consolidation command to remove redundant disks and improve virtual machine performance. However, the Consolidation command might race with the running quiesced snapshot operation and cause failure of virtual machines.
- The SNMP agent might display the status of all batteries as D_Failed when you run the snmpwalk command. This issue occurs due to the processing of code, which might not check the status properly and the misinterpretation of the compact sensors with sensor-specific code.
- When you use an IP hash or source MAC hash teaming policy, some packets from the packet list might use a different uplink. As a result, some of them might drop or not be sent out through the uplink determined by the teaming policy.
- If an NFS datastore is configured as a syslog datastore and if the ESXi host disconnects from it, logging to the datastore stops and the ESXi host might become unresponsive.
- When you replicate virtual machines by using vSphere Replication with Site Recovery Manager, the ESXi host might fail with a purple diagnostic screen immediately or within 24 hours. You might see a similar error: PANIC bora/vmkernel/main/dlmalloc.c:4924 - Usage error in dlmalloc.
- Larger configurations might exceed the limit for the number of locks and hostd starts failing with an error similar to:
  hostd Panic: MXUserAllocSerialNumber: too many locks!
- Тhe esxcli $esxcli.network.nic.coalesce.set.Invoke network command might return a false value as a result even though the value is correctly set. This might impact your automation scripts.
- When a virtual machine tries to access a VMFS datastore with corrupted directory, the ESXi host might fail with a purple diagnostic screen and the DirEntry corruption error message.
- The LACPPDU Actor key might change its value to 0 during the link status flapping.
- Due to a timing issue in the VMkernel, buffers might not be flushed, and the heap gets exhausted. As a result, services such as hostd, vpxa and vmsyslogd might not be able to write logs on the ESXi host, and the host becomes unresponsive. In the /var/log/vmkernel.log, you might see a similar warning:WARNING: Heap: 3571: Heap vfat already at its maximum size. Cannot expand.
- If you have modified the type of a virtual CD-ROM device of a virtual machine in a previous version of ESXi, after you update to a later version, when you try to install or update VMware Tools, the virtual machine might be terminated and marked as invalid.
- When you renew a certificate, only the first certificate from the supplied chain of trust might be stored on the ESXi host. Any intermediate CA certificates are truncated. Because of the missing certificates, the chain to the root CA cannot be built. This leads to a warning for an untrusted connection.
- If a vSphere API for Storage Awareness provider modifies the vSphere Virtual Volumes policy unattended, a null VvolID parameter might update the vSphere Virtual Volumes metadata. This results in a VASA call with a null VvoId parameter and a failure when creating a virtual machine snapshot.
- If a call from a vSphere API for Storage Awareness provider fails due to all connections to the virtual provider being busy, operations for parallel cloning of multiple virtual machines on a vSphere Virtual Volumes datastore might become unresponsive or fail with an error message similar to Cannot complete file creation operation.
- An ESXi host might fail with a purple diagnostic screen displaying a sbflush_internal panic message due to some discrepancies in the internal statistics.
- With ESXi 6.7 Update 2, you can migrate virtual machines by using vSphere vMotion between ESXi hosts with N-VDS and vSphere Standard Switches. To enable the feature, you must upgrade your vCenter Server system to vCenter Server 6.7 Update 2 and ESXi 6.7 Update 2 on both source and destination sites.
- ESXi hosts might fail with a purple diagnostic screen due to a page fault exception. The error comes from a missing flag that could trigger cache eviction on an object that no longer exists, and result in a NULL pointer reference.
- When checking the uplink status, the teaming policy might not check if the uplink belongs to a port group and the affected port group might not be correct. As a result, you might see redundant VOB messages in the /var/run/log/vobd.log file, such as:
  
  Lost uplink redundancy on virtual switch "xxx". Physical NIC vmnicX is down. Affected portgroups:"xxx".
- You must manually add the claim rules to an ESXi host for Lenovo ThinkSystem DE Series Storage Arrays.
- The vpxa service might fail due to excessive memory usage when iterating on a large directory tree. As a result, an ESXi host might get disconnected from a vCenter Server system.
- The commands esxcli software profile update or esxcli software profile install might fail on hosts running ESXi 6.7 Update 1 with enabled SecureBoot. You might see error messages such as Failed to setup upgrade using esx-update VIB and Failed to mount tardisk in ramdisk: [Errno 1] Operation not permitted.
- NFS volume mount might not persist after a reboot of an ESXi host due to intermittent failure in resolving the host name of the NFS server.
- This issue happens if you create a VMK or vNIC port by using the Route Based on Physical NIC Load option when the physical NIC assigned to that port group is temporarily down. In such cases, the port team uplink is not set because there are no active uplinks in the portgroup. When the physical NIC becomes active again, teaming code fails to update the port data, resulting in a packet loss.
- A race condition can occur when Plog Relog runs along with DecommissionMD, causing Relog to access freed Plog device state tables. This problem can cause a host failure with a purple diagnostic screen.
- If you use devices with physical block size other than 4096 or 512 MB, in the vmkernel logs you might see many warnings similar to:
  ScsiPath: 4395: The Physical block size "8192" reported by the path vmhba3:C0:T1:L0 is not supported.
- After configuring or upgrading a vSAN stretched cluster, all cluster level requests might fail. You might see the following error message:
  name '_VSAN_VER3' is not defined.
- If the virtual machine folder is created using a name instead of UUID, the vSAN performance charts do not show the following VMDK metrics properly:
  - IOPS and IOPS Limit
  - Delayed Normalized IOPS
- In Host > Monitor > Performance > Physical Adapters > pNIC vSwitch Port Drop Rate you might see a counter showing dropped packets, while no packets are dropped. This is because the IOChain framework treats the reduced number of packets, when using LRO, as packet drops.
- An ESXi host might fail with a purple diagnostic screen while powering on a virtual machine. This happens if the virtual machine name starts with “SRIOV” and has an uplink connected to a vSphere Distributed Switch.
- In a rare race condition, when SNMP disables dynamic rulesets, but they are active in a Host Profile, you might see an unexpected compliance error such as Ruleset dynamicruleset not found.
- Recovery of a virtual machine running Windows 2008 or later by using vSphere Replication with application quiescing enabled might result in a corrupt replica. Corruption only happens when application quiescing is enabled. If VMware Tools on the virtual machine is not configured for application quiescing, vSphere Replication uses a lower level of consistency, such as file system quiescing, and replicas are not corrupted.
- When you perform CIM requests more than 2 MB like firmware download, CIM service might fail on an ESXi host due to out of stack space and the SFCB zdumbfile appears in /var/core.
- The number of syslog.log archive files generated might be one less than the default value set by using the syslog.global.defaultRotate parameter. The number of syslog.log archive files might also be different between ESXi versions 6.0 and 6.7. For instance, if syslog.global.defaultRotate is set to 8 by default, ESXi 6.0 creates syslog.0.gz to syslog.7.gz, while ESXi 6.7 creates syslog.0.gz to syslog.6.gz.
- If you set the advanced config option /Misc/MCEMonitorInterval to a very large value, ESXi hosts might become unresponsive in around 10 days of uptime, due to a timer overflow.
- The P2MCache lock is a spin lock causing slow CPU performance that might cause starvation of other CPUs. As a result, an ESXi host might fail with a purple diagnostic screen and a Spin count exceeded - possible deadlock, PVSCSIDoIOComplet, NFSAsyncIOComplete error.
- An ESXi host might fail with a purple diagnostic screen during a Storage vMotion operation between NFS datastores, due to a race condition in the request completion path. The race condition happens under heavy I/O load in the NFS stack.
- During disk decommission operation, a race condition in the decommission workflow might cause the ESXi host to fail with a purple diagnostic screen.
- An ESXi host might fail with a purple diagnostic screen if RSS is enabled on a physical NIC. You might see a similar backtrace:
  yyyy-mm-dd cpu9:2097316)0x451a8521bc70:[0x41801a68ad30]RSSPlugCleanupRSSEngine@(lb_netqueue_bal)#+0x7d stack: 0x4305e4c1a8e0, 0x41801a68af2b, 0x430db8c6b188, 0x4305e4c1a8e0, 0x0yyyy-mm-dd cpu9:2097316)0x451a8521bc90:[0x41801a68af2a]RSSPlugInitRSSEngine@(lb_netqueue_bal)#+0x127 stack: 0x0, 0x20c49ba5e353f7cf, 0x4305e4c1a930, 0x4305e4c1a800, 0x4305e4c1a9f0 yyyy-mm-dd cpu9:2097316)0x451a8521bcd0:[0x41801a68b21c]RSSPlug_PreBalanceWork@(lb_netqueue_bal)#+0x1cd stack: 0x32, 0x32, 0x0, 0xe0, 0x4305e4c1a800 yyyy-mm-dd cpu9:2097316)0x451a8521bd30:[0x41801a687752]Lb_PreBalanceWork@(lb_netqueue_bal)#+0x21f stack: 0x4305e4c1a800, 0xff, 0x0, 0x43057f38ea00, 0x4305e4c1a800 yyyy-mm-dd cpu9:2097316)0x451a8521bd80:[0x418019c13b18]UplinkNetqueueBal_BalanceCB@vmkernel#nover+0x6f1 stack: 0x4305e4bc6088, 0x4305e4c1a840, 0x4305e4c1a800, 0x4305e435fb30, 0x4305e4bc6088 yyyy-mm-dd cpu9:2097316)0x451a8521bf00:[0x418019cd1c89]UplinkAsyncProcessCallsHelperCB@vmkernel#nover+0x116 stack: 0x430749e60870, 0x430196737070, 0x451a85223000, 0x418019ae832b, 0x430749e60088 yyyy-mm-dd cpu9:2097316)0x451a8521bf30:[0x418019ae832a]HelperQueueFunc@vmkernel#nover+0x157 stack: 0x430749e600b8, 0x430749e600a8, 0x430749e600e0, 0x451a85223000, 0x430749e600b8 yyyy-mm-dd cpu9:2097316)0x451a8521bfe0:[0x418019d081f2]CpuSched_StartWorld@vmkernel#nover+0x77 stack: 0x0, 0x0, 0x0, 0x0, 0x0
- When the VASA provider sends a rebind request to an ESXi host to switch the binding for a particular vSphere Virtual Volume driver, the ESXi host might switch the protocol endpoint and other resources to change the binding without any I/O disturbance. As a result, the ESXi host might fail with a purple diagnostic screen.
- Some IPMI sensors might intermittently change from green to red and the reverse, which creates false hardware health alarms.
- If you install an async 32-bit IMA plug-in and there are already installed 32-bit IMA plug-ins, the system might try to load these plug-ins and check if they are loaded from the QLogic independent iSCSI adapter. During this process the ESXi host might fail with a memory admission error.
- If you run a reprotect operation by using the Site Recovery Manager, the operation might fail if a virtual machine is late with the initial synchronization. You might see an error similar to:
  VR synchronization failed for VRM group {…}. Operation timed out: 10800 seconds
- When I/O throttling is enabled on a protocol endpoint of Virtual Volumes on HPE 3PAR storage and if an I/O on a secondary LUN fails with an error TASK_SET_FULL, the I/O rate on all secondary LUNs that are associated with the protocol endpoint slows down.
- The qlnativefc driver is updated to version 3.1.8.0.
- The nfnic driver is updated to version 4.0.0.17.
- Emulex drivers might write logs at /var/log/EMU/mili/mili2d.log and fill up the 40 MB /var file system logs of RAM drives.
- ESXi 6.7 Update 2 adds Solarflare native driver (sfvmk) support for Solarflare 10G and 40G network adaptor devices, such as SFN8542 and SFN8522.
- The lsi-msgpt2 driver is updated to version 20.00.05.00 to address task management enhancements and critical bug fixes.
- You might not be able to locate and turn on the LED for disks under a lsi-msgpt35 controller.
- If a split I/O request is cancelled in the inbox nvme driver, the command completion path might unlock the queue lock due to an incorrect check of the command type. This might cause ESXi hosts to fail with a purple diagnostic screen.
- VMware inbox nvme driver supports only doorbell stride with value 0h and you cannot use any other value or see NVMe devices with doorbell stride different from 0h.
- For some Dell-branded NVMe devices, and for Marvell NR2241, you might see incorrect NVMe device information by running the esxcfg-scsidevs –a command or looking at the interface.
- The Broadcom lsi-mr3 driver is upgraded to version MR 7.8.
- The lsi-msgpt35 driver is updated to version 09.00.00.00-1vmw.
- The lsi-msgpt3 driver is updated to version 17.00.01.00-3vmw.
- If you extract a Host Profile from an ESXi host with disabled IPv6 support, and the IPv4 default gateway is overridden while remediating that Host Profile, you might see a message that a virtual network adapter, such as DSwitch0, is to be created on the vSphere Distributed Switch (VDS), but the adapter is actually removed from the VDS. This is due to a "::" value of the ipV6DefaultGateway parameter.
- Some guest virtual machines might report their identity as an empty string if the guest is running a later version of VMware Tools than the ESXi host was released with, or if the host cannot recognize the guestID parameter of the GuestInfo object. The issue affects mainly virtual machines with CentOS and VMware Photon OS.
- You might see repetitive messages in the vCenter Web Client, similar to Delete host sub specification nsx if you use network booting for ESXi hosts, due to some dummy code in hostd.
- The installation of the VMware Tools unmounts the ISO image file that ends with autoinst.iso, if it is already mounted to the virtual machine. To mount the VMware Tools ISO image file, you must click Install VMware Tools again. As a result, the virtual machine might stop responding.
- ESXi hosts might lose connectivity to the vCenter Sever system due to failure of the vpxa agent service in result of an invalid property update generated by the PropertyCollector object. A race condition in hostd leads to a malformed sequence of property update notification events that cause the invalid property update.

ESXi-6.7.0-20190401001s-standard

Profile Name	ESXi-6.7.0-20190401001s-standard
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	Аpril 11, 2019
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_vsan_6.7.0-1.44.11399678 VMware_bootbank_esx-update_6.7.0-1.44.12986307 VMware_bootbank_esx-base_6.7.0-1.44.12986307 VMware_bootbank_vsanhealth_6.7.0-1.44.11399680 VMware_locker_tools-light_10.3.5.10430147-12986307 VMware_bootbank_esx-ui_1.33.3-12923304
PRs Fixed	2228005, 2301046, 2232983, 2222019, 2224776, 2260077, 2232955
Related CVE numbers	CVE-2019-5516, CVE-2019-5517, CVE-2019-5520

This patch updates the following issues:

- You might see many error messages such as Heap globalCartel-1 already at its maximum size. Cannot expand. in the vmkernel.log, because the sfcbd service fails to process all forked processes. As a result, the ESXi host might become unresponsive and some operations might fail.
- The NTP daemon is updated to version ntp-4.2.8p12.
- The ESXi userworld libxml2 library is updated to version 2.9.8.
- The Python third party library is updated to version 3.5.6.
- The OpenSSH is updated to version 7.9 to resolve security issue with identifier CVE-2018-15473.
- The OpenSSL package is updated to version openssl-1.0.2r.
- ESXi updates address an out-of-bounds vulnerability with the vertex shader functionality. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5516 to this issue. See VMSA-2019-0006 for further information.
- ESXi contains multiple out-of-bounds read vulnerabilities in the shader translator. Exploitation of these issues requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of these issues may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for these issues involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5517 to these issues. See VMSA-2019-0006 for further information.
- ESXi updates address an out-of-bounds read vulnerability. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure. The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5520 to this issue. See VMSA-2019-0006 for further information.

ESXi-6.7.0-20190401001s-no-tools

Profile Name	ESXi-6.7.0-20190301001s-no-tools
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	April 11, 2019
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_vsan_6.7.0-1.44.11399678 VMware_bootbank_esx-update_6.7.0-1.44.12986307 VMware_bootbank_esx-base_6.7.0-1.44.12986307 VMware_bootbank_vsanhealth_6.7.0-1.44.11399680 VMware_bootbank_esx-ui_1.33.3-12923304
PRs Fixed	2228005, 2301046, 2232983, 2222019, 2224776, 2260077, 2232955
Related CVE numbers	CVE-2019-5516, CVE-2019-5517, CVE-2019-5520

This patch updates the following issues:

- You might see many error messages such as Heap globalCartel-1 already at its maximum size. Cannot expand. in the vmkernel.log, because the sfcbd service fails to process all forked processes. As a result, the ESXi host might become unresponsive and some operations might fail.
- The NTP daemon is updated to version ntp-4.2.8p12.
- The ESXi userworld libxml2 library is updated to version 2.9.8.
- The Python third party library is updated to version 3.5.6.
- The OpenSSH is updated to version 7.9 to resolve security issue with identifier CVE-2018-15473.
- The OpenSSL package is updated to version openssl-1.0.2r.
- ESXi updates address an out-of-bounds vulnerability with the vertex shader functionality. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5516 to this issue. See VMSA-2019-0006 for further information.
- ESXi contains multiple out-of-bounds read vulnerabilities in the shader translator. Exploitation of these issues requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of these issues may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on their own VM. The workaround for these issues involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5517 to these issues. See VMSA-2019-0006 for further information.
- ESXi updates address an out-of-bounds read vulnerability. Exploitation of this issue requires an attacker to have access to a virtual machine with 3D graphics enabled. Successful exploitation of this issue may lead to information disclosure. The workaround for this issue involves disabling the 3D-acceleration feature. This feature is not enabled by default on ESXi. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5520 to this issue. See VMSA-2019-0006 for further information.

Known Issues

The known issues are grouped as follows.

Miscellaneous
Known Issues from Earlier Releases

Miscellaneous

The ESXi Syslog service might display inaccurate timestamps at start or rotation
The ESXi Syslog service might display inaccurate timestamps when the service starts or restarts, or when the log reaches its maximum size by configuration and rotates.

Workaround: This issue is resolved for fresh installs of ESXi. To fix the issue on the existing configuration for the hostd.log, you must:
1. Open the /etc/vmsyslog.conf.d/hostd.conf file.
2. Replace onrotate = logger -t Hostd < /var/run/vmware/hostdLogHeader.txt with
  onrotate = printf '%%s - last log rotation time, %%s\n' "$(date --utc +%%FT%%T.%%3NZ)" "$(cat /var/run/vmware/hostdLogHeader.txt)" | logger -t Hostd
3. Save the changes.
4. Restart the vmsyslogd service by running /etc/init.d/vmsyslogd restart.
You cannot migrate virtual machines by using vSphere vMotion on different NSX Logical Switches
In ESXi 6.7 Update 2, migration of virtual machines using vSphere vMotion between two different NSX Logical Switches is not supported. You can still migrate virtual machines with vSphere vMotion on the same NSX Logical Switch.

Workaround: None
When you upgrade to VMware ESXi 6.7 Update 2, the SSH service might stop responding
When you upgrade to VMware ESXi 6.7 Update 2 and boot an ESXi host, the /etc/ssh/sshd_config file might contain Unicode characters. As a result, the SSH configuration might not be updated and the SSH service might stop responding, refusing the incoming connections.

Workaround: You must disable and then enable the SSH service manually, following the steps in VMware knowledge base article 2004746.
When you upgrade to VMware ESXi 6.7 Update 2, the SSH update is successful if the first line in the /etc/ssh/sshd_config file displays: # Version 6.7.2.0.
Linux guest OS in ESXi hosts might become unresponsive if you run the kdump utility while vIOMMU is enabled
Some Linux guest OS might become unresponsive while initializing the kdump kernel if vIOMMU is enabled.

Workaround: If kdump is required, turn off interrupt remapping in the guest OS by appending intremap=off to the grub menu or disable vIOMMU for this virtual machine completely.

Known Issues from Earlier Releases

To view a list of previous known issues, click here.

The earlier known issues are grouped as follows.

Installation, Upgrade, and Migration Issues
Security Features Issues
Networking Issues
Storage Issues
Backup and Restore Issues
vCenter Server Appliance, vCenter Server, vSphere Web Client, and vSphere Client Issues
Virtual Machine Management Issues
vSphere HA and Fault Tolerance Issues
Auto Deploy and Image Builder Issues
Miscellaneous Issues

Installation, Upgrade, and Migration Issues

ESXi installation or upgrade fail due to memory corruption on HPE ProLiant - DL380/360 Gen 9 Servers
The issue occurs on HPE ProLiant - DL380/360 Gen 9 Servers that have a Smart Array P440ar storage controller.

Workaround: Set the server BIOS mode to UEFI before you install or upgrade ESXi.
After an ESXi upgrade to version 6.7 and a subsequent rollback to version 6.5 or earlier, you might experience failures with error messages
You might see failures and error messages when you perform one of the following on your ESXi host after reverting to 6.5 or earlier versions:
- Install patches and VIBs on the host
  Error message: [DependencyError] VIB VMware_locker_tools-light requires esx-version >= 6.6.0
- Install or upgrade VMware Tools on VMs
  Error message: Unable to install VMware Tools.
After the ESXi rollback from version 6.7, the new tools-light VIB does not revert to the earlier version. As a result, the VIB becomes incompatible with the rolled back ESXi host causing these issues.

Workaround: Perform the following to fix this problem.

SSH to the host and run one of these commands:

esxcli software vib install -v /path/to/tools-light.vib

or

esxcli software vib install -d /path/to/depot/zip -n tools-light

Where the vib and zip are of the currently running ESXi version.

Note: For VMs that already have new VMware Tools installed, you do not have to revert VMware Tools back when ESXi host is rolled back.
Special characters backslash (\) or double-quote (") used in passwords causes installation pre-check to fail
If the special characters backslash (\) or double quote (") are used in ESXi, vCenter Single Sign-On, or operating system password fields during the vCenter Server Appliance Installation templates, the installation pre-check fails with the following error:

Error message: com.vmware.vcsa.installer.template.cli_argument_validation: Invalid \escape: line ## column ## (char ###)

Workaround: If you include special characters backslash (\) or double quote (") in the passwords for ESXi, operating systems, or Single-Sign-On, the special characters need to be escaped. For example, the password pass\word should be escaped as pass\\word.
Windows vCenter Server 6.7 installer fails when non-ASCII characters are present in password
The Windows vCenter Server 6.7 installer fails when the Single Sign-on password contains non-ASCII characters for Chinese, Japanese, Korean, and Taiwanese locales.

Workaround: Ensure that the Single Sign-on password contains ASCII characters only for Chinese, Japanese, Korean, and Taiwanese locales.
Cannot log in to vSphere Appliance Management Interface if the colon character (:) is part of vCenter Server root password
During the vCenter Server Appliance UI installation (Set up appliance VM page of Stage 1), if you include the colon character (:) as part of the vCenter Server root password, logging into the vSphere Appliance Management Interface (https://vc_ip:5480) fails and you are unable to login. The password might be accepted by the password rule check during the setup, but login fails.

Workaround: Do not use the colon character (:) to set the vCenter Server root password in the vCenter Server Appliance UI (Set up appliance VM of Stage 1).
vCenter Server Appliance installation fails when the backslash character (\) is included in the vCenter Single Sign-On password
During the vCenter Server Appliance UI installation (SSO setup page of Stage 2), if you include the backslash character (\) as part of the vCenter Single Sign-On password, the installation fails with the error Analytics Service registration with Component Manager failed. The password might be accepted by the password rule check, but installation fails.

Workaround: Do not use the backslash character (\) to set the vCenter Single Sign-On password in the vCenter Server Appliance UI installer (SSO setup page of Stage 2)
Scripted ESXi installation fails on HP ProLiant Gen 9 Servers with an error
When you perform a scripted ESXi installation on an HP ProLiant Gen 9 Server under the following conditions:
- The Embedded User Partition option is enabled in the BIOS.
- You use multiple USB drives during installation: one USB drive contains the ks.cfg file, and the others USB drive is not formatted and usable.
The installation fails with the error message Partitions not initialized.

Workaround:
1. Disable the Embedded User Partition option in the server BIOS.
2. Format the unformatted USB drive with a file system or unplug it from the server.
Windows vCenter Server 6.0.x or 6.5.x upgrade to vCenter Server 6.7 fails if vCenter Server contains non-ASCII or high-ASCII named 5.5 host profiles
When a source Windows vCenter Server 6.0.x or 6.5.x contains vCenter Server 5.5.x host profiles named with non-ASCII or high-ASCII characters, UpgradeRunner fails to start during the upgrade pre-check process.

Workaround: Before upgrading Windows vCenter Server 6.0.x or 6.5.x to vCenter Server 6.7, upgrade the ESXi 5.5.x with the non-ASCII or high-ASCII named host profiles to ESXi 6.0.x or 6.5.x, then update the host profile from the upgraded host by clicking Copy setting from the hosts.
You cannot run the camregister command with the -x option if the vCenter Single Sign-On password contains non-ASCII characters
When you run the camregister command with the -x file option, for example, to register the vSphere Authentication Proxy, the process fails with an access denied error when the vCenter Single Sign-On password contains non-ASCII characters.

Workaround: Either set up the vCenter Single Sign-On password with ASCII characters, or use the –p password option when you run the camregister command to enter the vCenter Single Sign-On password that contains non-ASCII characters.
The Bash shell and SSH login are disabled after upgrading to vCenter Server 6.7
After upgrading to vCenter Server 6.7, you are not able to access the vCenter Server Appliance using either the Bash shell or SSH login.

Workaround:
1. After successfully upgrading to vCenter Server 6.7, log in to the vCenter Server Appliance Management Interface. In a Web browser, go to: https://appliance_ip_address_or_fqdn:5480
2. Log in as root.
  The default root password is the password you set while deploying the vCenter Server Appliance.
3. Click Access, and click Edit.
4. Edit the access settings for the Bash shell and SSH login.
  When enabling Bash shell access to the vCenter Server Appliance, enter the number of minutes to keep access enabled.
5. Click OK to save the settings.
Management node migration is blocked if vCenter Server for Windows 6.0 is installed on Windows Server 2008 R2 without previously enabling Transport Layer Security 1.2
This issue occurs if you are migrating vCenter Server for Windows 6.0 using an external Platform Services Controller (an MxN topology) on Windows Server 2008 R2. After migrating the external Platform Services Controller (PSC), when you run Migration Assistant on the Management node it fails, reporting that it cannot retrieve the PSC version. This error occurs because Windows Server 2008 R2 does not support Transport Layer Security (TLS) 1.2 by default, which is the default TLS protocol for Platform Services Controller 6.7.

Workaround: Enable TLS 1.2 for Windows Server 2008 R2.1.
1. Navigate to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
2. Create a new folder and label it TLS 1.2.
3. Create two new keys with the TLS 1.2 folder, and name the keys Client and Server.
4. Under the Client key, create two DWORD (32-bit) values, and name them DisabledByDefault and Enabled.
5. Under the Server key, create two DWORD (32-bit) values, and name them DisabledByDefault and Enabled.
6. Ensure that the Value field is set to 0 and that the Base is Hexadecimal for DisabledByDefault.
7. Ensure that the Value field is set to 1 and that the Base is Hexadecimal for Enabled.
8. Reboot the Windows Server 2008 R2 computer.
For more information on using TLS 1.2 with Windows Server 2008 R2, refer to the operating system vendor's documentation.
vCenter Server containing host profiles with version less than 6.0 fails during upgrade to version 6.7
vCenter Server 6.7 does not support host profiles with version less than 6.0. To upgrade to vCenter Server 6.7, you must first upgrade the host profiles to version 6.0 or later, if you have any of the following components:
- ESXi host(s) version - 5.1 or 5.5
- vCenter server version - 6.0 or 6.5
- Host profiles version - 5.1 or 5.5
Workaround: See KB 52932
After upgrading to vCenter Server 6.7, any edits to the ESXi host's /etc/ssh/sshd_config file are discarded, and the file is restored to the vCenter Server 6.7 default configuration
Due to changes in the default values in the /etc/ssh/sshd_config file, the vCenter Server 6.7 upgrade replaces any manual edits to this configuration file with the default configuration. This change was necessary as some prior settings (for example, permitted ciphers) are no longer compatible with current ESXi behavior, and prevented SSHD (SSH daemon) from starting correctly.

CAUTION: Editing /etc/ssh/sshd_config is not recommended. SSHD is disabled by default, and the preferred method for editing the system configuration is through the VIM API (including the ESXi Host Client interface) or ESXCLI.

Workaround: If edits to /etc/ssh/sshd_config are needed, you can apply them after successfully completing the vCenter Server 6.7 upgrade. The default configuration file now contains a version number. Preserve the version number to avoid overwriting the file.

For further information on editing the /etc/ssh/sshd_config file, see the following Knowledge Base articles:
- For information on enabling public/private key authentication, see Knowledge Base article KB 1002866
- For information on changing the default SSHD configuration, see Knowledge Base article KB 1020530

Security Features Issues

Virtualization Based Security (VBS) on vSphere in Windows Guest OSs RS1, RS2 and RS3 require HyperV to be enabled in the Guest OS.
Virtualization Based Security (VBS) on vSphere in Windows Guest OSs RS1, RS2 and RS3 require HyperV to be enabled in the Guest OS.

Workaround: Enable Hyper-V Platform on Windows Server 2016. In the Server Manager, under Local Server select Manage -> Add Roles and Features Wizard and under Role-based or feature-based installation select Hyper-V from the server pool and specify the server roles. Choose defaults for Server Roles, Features, Hyper-V, Virtual Switches, Migration and Default Stores. Reboot the host.

Enable Hyper-V on Windows 10: Browse to Control Panel -> Programs -> Turn Windows features on or off. Check the Hyper-V Platform which includes the Hyper-V Hypervisor and Hyper-V Services. Uncheck Hyper-V Management Tools. Click OK. Reboot the host.

Networking Issues

Hostprofile PeerDNS flags do not work in some scenarios
If PeerDNS for IPv4 is enabled for a vmknic on a stateless host that has an associated host profile, the iPv6PeerDNS might appear with a different state in the extracted host profile after the host reboots.

Workaround: None.
When you upgrade vSphere Distributed Switches to version 6.6, you might encounter a few known issues
During upgrade, the connected virtual machines might experience packet loss for a few seconds.

Workaround: If you have multiple vSphere Distributed Switches that need to be upgraded to version 6.6, upgrade the switches sequentially.

Schedule the upgrade of vSphere Distributed Switches during a maintenance window, set DRS mode to manual, and do not apply DRS recommendations for the duration of the upgrade.

For more details about known issues and solutions, see KB 52621
VM fails to power on when Network I/O Control is enabled and all active uplinks are down
A VM fails to power on when Network I/O Control is enabled and the following conditions are met:
- The VM is connected to a distributed port group on a vSphere distributed switch
- The VM is configured with bandwidth allocation reservation and the VM's network adapter (vNIC) has a reservation configured
- The distributed port group teaming policy is set to Failover
- All active uplinks on the distributed switch are down. In this case, vSphere DRS cannot use the standby uplinks and the VM fails to power on.
Workaround: Move the available standby adapters to the active adapters list in the teaming policy of the distributed port group.
Network flapping on a NIC that uses qfle3f driver might cause ESXi host to crash
The qfle3f driver might cause the ESXi host to crash (PSOD) when the physical NIC that uses the qfle3f driver experiences frequent link status flapping every 1-2 seconds.

Workaround: Make sure that network flapping does not occur. If the link status flapping interval is more than 10 seconds, the qfle3f driver does not cause ESXi to crash. For more information, see KB 2008093.
Port Mirror traffic packets of ERSPAN Type III fail to be recognized by packet analyzers
A wrong bit that is incorrectly introduced in ERSPAN Type III packet header causes all ERSPAN Type III packets to appear corrupt in packet analyzers.

Workaround: Use GRE or ERSPAN Type II packets, if your traffic analyzer supports these types.
DNS configuration esxcli commands are not supported on non-default TCP/IP stacks
DNS configuration of non-default TCP/IP stacks is not supported. Commands such as esxcli network ip dns server add -N vmotion -s 10.11.12.13 do not work.

Workaround: Do not use DNS configuration esxcli commands on non-default TCP/IP stacks.
Compliance check fails with an error when applying a host profile with enabled default IPv4 gateway for vmknic interface
When applying a host profile with enabled default IPv4 gateway for vmknic interface, the setting is populated with "0.0.0.0" and does not match the host info, resulting with the following error:

IPv4 vmknic gateway configuration doesn't match the specification

Workaround:
1. Edit the host profile settings.
2. Navigate to Networking configuration > Host virtual nic or Host portgroup > (name of the vSphere Distributed Switch or name of portgroup) > IP address settings.
3. From the Default gateway Vmkernal Network Adapter (IPv4) drop-down menu, select Choose a default IPv4 gateway for the vmknic and enter the Vmknic Default IPv4 gateway.
Intel Fortville series NICs cannot receive Geneve encapsulation packets with option length bigger than 255 bytes
If you configure Geneve encapsulation with option length bigger than 255 bytes, the packets are not received correctly on Intel Fortville NICs X710, XL710, and XXV710.

Workaround: Disable hardware VLAN stripping on these NICs by running the following command:

esxcli network nic software set --untagging=1 -n vmnicX.
RSPAN_SRC mirror session fails after migration
When a VM connected to a port assigned for RSPAN_SRC mirror session is migrated to another host, and there is no required pNic on the destination network of the destination host, then the RSPAN_SRC mirror session fails to configure on the port. This causes the port connection to fail failure but the vMotion migration process succeeds.

Workaround: To restore port connection failure, complete either one of the following:
- Remove the failed port and add a new port.
- Disable the port and enable it.
The mirror session fails to configure, but the port connection is restored.

Storage Issues

NFS datastores intermittently become read-only
A host's NFS datastores may become read-only when the NFS vmknic temporarily loses its IP address or after a stateless hosts reboot.

Workaround: You can unmount and remount the datastores to regain connectivity through the NFS vmknic. You can also set the NFS datastore write permission to both the IP address of the NFS vmknic and the IP address of the Management vmknic.
When editing a VM's storage policies, selecting Host-local PMem Storage Policy fails with an error
In the Edit VM Storage Policies dialog, if you select Host-local PMem Storage Policy from the dropdown menu and click OK, the task fails with one of these errors:

The operation is not supported on the object.

or

Incompatible device backing specified for device '0'"Detailed

Workaround: You cannot apply the Host-local PMem Storage Policy to VM home. For a virtual disk, you can use the migration wizard to migrate the virtual disk and apply the Host-local PMem Storage Policy.
Datastores might appear as inaccessible after ESXi hosts in a cluster recover from a permanent device loss state
This issue might occur in the environment where the hosts in the cluster share a large number of datastore, for example, 512 to 1000 datastores.
After the hosts in the cluster recover from the permanent device loss condition, the datastores are mounted successfully at the host level. However, in vCenter Server, several datastores might continue to appear as inaccessible for a number of hosts.

Workaround: On the hosts that show inaccessible datastores in the vCenter Server view, perform the Rescan Storage operation from vCenter Server.
Creating VMFS datastores on Intel Volume Management Device (Intel VMD) in riser mode might fail
Creating a VMFS datastore on Intel VMD configured in riser mode might fail, even if the partition is marked as successfully created on the ESXi host. You might see an error message similar to: Failed to create VMFS datastore vmd2 - Operation failed.

Workaround: None
Migration of a virtual machine from a VMFS3 datastore to VMFS5 fails in a mixed ESXi 6.5 and 6.7 host environment
If you have a mixed host environment, you cannot migrate a virtual machine from a VMFS3 datastore connected to an ESXi 6.5 host to a VMFS5 datastore on an ESXi 6.7 host.

Workaround: Upgrade the VMFS3 datastore to VMFS5 to be able to migrate the VM to the ESXi 6.7 host.
Warning message about a VMFS3 datastore remains unchanged after you upgrade the VMFS3 datastore using the CLI
Typically, you use the CLI to upgrade the VMFS3 datastore that failed to upgrade during an ESXi upgrade. The VMFS3 datastore might fail to upgrade due to several reasons including the following:
- No space is available on the VMFS3 datastore.
- One of the extents on the spanned datastore is offline.
After you fix the reason of the failure and upgrade the VMFS3 datastore to VMFS5 using the CLI, the host continues to detect the VMFS3 datastore and reports the following error:

Deprecated VMFS (ver 3) volumes found. Upgrading such volumes to VMFS (ver5) is mandatory for continued availability on vSphere 6.7 host.

Workaround: To remove the error message, restart hostd using the /etc/init.d/hostd restart command or reboot the host.
The Mellanox ConnectX-4/ConnectX-5 native ESXi driver might exhibit performance degradation when its Default Queue Receive Side Scaling (DRSS) feature is turned on
Receive Side Scaling (RSS) technology distributes incoming network traffic across several hardware-based receive queues, allowing inbound traffic to be processed by multiple CPUs. In Default Queue Receive Side Scaling (DRSS) mode, the entire device is in RSS mode. The driver presents a single logical queue to OS and is backed by several hardware queues.

The native nmlx5_core driver for the Mellanox ConnectX-4 and ConnectX-5 adapter cards enables the DRSS functionality by default. While DRSS helps to improve performance for many workloads, it could lead to possible performance degradation with certain multi-VM and multi-vCPU workloads.

Workaround: If significant performance degradation is observed, you can disable the DRSS functionality.
1. Run the esxcli system module parameters set -m nmlx5_core -p DRSS=0 RSS=0 command.
2. Reboot the host.
Datastore name does not extract to the Coredump File setting in the host profile
When you extract a host profile, the Datastore name field is empty in the Coredump File setting of the host profile. Issue appears when using esxcli command to set coredump.

Workaround:
1. Extract a host profile from an ESXi host.
2. Edit the host profile settings and navigate to General System Settings > Core Dump Configuration > Coredump File.
3. Select Create the Coredump file with an explicit datastore and size option and enter the Datastore name, where you want the Coredump File to reside.
Native software FCoE adapters configured on an ESXi host might disappear when the host is rebooted
After you successfully enable the native software FCoE adapter (vmhba) supported by the vmkfcoe driver and then reboot the host, the adapter might disappear from the list of adapters. This might occur when you use Cavium QLogic 57810 or QLogic 57840 CNAs supported by the qfle3 driver.

Workaround: To recover the vmkfcoe adapter, perform these steps:
1. Run the esxcli storage core adapter list command to make sure that the adapter is missing from the list.
2. Verify the vSwitch configuration on vmnic associated with the missing FCoE adapter.
3. Run the following command to discover the FCoE vmhba:
  - On a fabric setup:
    #esxcli fcoe nic discover -n vmnic_number
  - On a VN2VN setup:
    #esxcli fcoe nic discover -n vmnic_number
Attempts to create a VMFS datastore on an ESXi 6.7 host might fail in certain software FCoE environments
Your attempts to create the VMFS datastore fail if you use the following configuration:
- Native software FCoE adapters configured on an ESXi 6.7 host.
- Cavium QLogic 57810 or 57840 CNAs.
- Cisco FCoE switch connected directly to an FCoE port on a storage array from the Dell EMC VNX5300 or VNX5700 series.
Workaround: None.

As an alternative, you can switch to the following end-to-end configuration:
ESXi host > Cisco FCoE switch > FC switch > storage array from the DELL EMC VNX5300 and VNX5700 series.

Backup and Restore Issues

Windows Explorer displays some backups with unicode differently from how browsers and file system paths show them
Some backups containing unicode display differently in the Windows Explorer file system folder than they do in browsers and file system paths.

Workaround: Using http, https, or ftp, you can browse backups with your web browser instead of going to the storage folder locations through Windows Explorer.

vCenter Server Appliance, vCenter Server, vSphere Web Client, and vSphere Client Issues

The time synchronization mode setting is not retained when upgrading vCenter Server Appliance
If NTP time synchronization is disabled on a source vCenter Server Appliance, and you perform an upgrade to vCenter Server Appliance 6.7, after the upgrade has successfully completed NTP time synchronization will be enabled on the newly upgraded appliance.

Workaround:
1. After successfully upgrading to vCenter Server Appliance 6.7, log into the vCenter Server Appliance Management Interface as root.
  The default root password is the password you set while deploying the vCenter Server Appliance.
```
 https://IP_or_FQDN_of_appliance:5480
```
2. In the vCenter Server Appliance Management Interface, click Time.
3. In the Time Synchronization pane, click Edit.
4. From the Mode drop-down menu, select Disabled.
  The newly upgraded vCenter Server Appliance 6.7 will no longer use NTP time synchronization, and will instead use the system time zone settings.
Login to vSphere Web Client with Windows session authentication fails on Firefox browsers of version 54 or later
If you use Firefox of version 54 or later to log in to the vSphere Web Client, and you use your Windows session for authentication, the VMware Enhanced Authentication Plugin might fail to populate your user name and to log you in.

Workaround: If you are using Windows session authentication to log in to the vSphere Web Client, use one of the following browsers: Internet Explorer, Chrome, or Firefox of version 53 and earlier.
vCenter hardware health alarm notifications are not triggered in some instances
When multiple sensors in the same category on an ESXi host are tripped within a time span of less than five minutes, traps are not received and email notifications are not sent.

Workaround: None. You can check the hardware sensors section for any alerts.
When using the VCSA Installer Time Sync option, you must connect the target ESX to the NTP server in the Time & Date Setting from the ESX Management
If you want to select Time Sync with NTP server from the VCSA Installer->Stage2->Appliance configuration->Time Sync option (ESX/NTP server), you also need to have the target ESX already connected to NTP server in the Time&Date Setting from the ESX Management, otherwise it'll fail in installation.

Workaround:
1. Set the Time Sync option in stage2->Appliance configuration to sync with ESX
2. Set the Time Sync option in stage2->Appliance configuration to sync with NTP Servers, make sure both the ESX and VC are set to connect to NTP servers.
When you monitor Windows vCenter Server health, an error message appears
Health service is not available for Windows vCenter Server. If you select the vCenter Server, and click Monitor > Health, an error message appears:

Unable to query vSAN health information. Check vSphere Client logs for details.

This problem can occur after you upgrade the Windows vCenter Server from release 6.0 Update 1 or 6.0 Update 2 to release 6.7. You can ignore this message.
Workaround: None. Users can access vSAN health information through the vCenter Server Appliance.
vCenter hardware health alarms do not function with earlier ESXi versions
If ESXi version 6.5 Update 1 or earlier is added to vCenter 6.7, hardware health related alarms will not be generated when hardware events occur such as high CPU temperatures, FAN failures, and voltage fluctuations.

Workaround: None.
vCenter Server stops working in some cases when using vmodl to edit or expand a disk
When you configure a VM disk in a Storage DRS-enabled cluster using the latest vmodl, vCenter Server stops working. A previous workaround using an earlier vmodl no longer works and will also cause vCenter Server to stop working.

Workaround: None
vCenter Server for Windows migration to vCenter Server Appliance fails with error
When you migrate vCenter Server for Windows 6.0.x or 6.5.x to vCenter Server Appliance 6.7, the migration might fail during the data export stage with the error: The compressed zip folder is invalid or corrupted.

Workaround: You must zip the data export folder manually and follow these steps:
1. In the source system, create an environment variable MA_INTERACTIVE_MODE.
2. Go to Computer > Properties > Advanced system settings > Environment Variables > System Variables > New.
3. Enter "MA_INTERACTIVE_MODE" as variable name with value 0 or 1.
4. Start the VMware Migration Assistant and provide your password.
5. Start the Migration from the client machine. The migration will pause, and the Migration Assistant console will display the message To continue the migration, create the export.zip file manually from the export data (include export folder).
6. NOTE: Do not press any keys or tabs on the Migration Assistant console.
7. Go to the %appdata%\vmware\migration-assistant folder.
8. Delete the export.zip created by the Migration Assistant.
9. To continue the migration, manually create the export.zip file from the export folder.
10. Return to the Migration Assistant console. Type Y and press Enter.
Discrepancy between the build number in VAMI and the build number in the vSphere Client
In vSphere 6.7, the VAMI summary tab displays the ISO build for the vCenter Server and vCenter Server Appliance products. The vSphere Client summary tab displays the build for the vCenter product, which is a component within the vCenter Server product.

Workaround: None
vCenter Server Appliance 6.7 displays an error message in the Available Update section of the vCenter Server Appliance Management Interface (VAMI)
The Available Update section of the vCenter Server Appliance Management Interface (VAMI) displays the following error message:

Check the URL and try again.

This message is generated when the vCenter Server Appliance searches for and fails to find a patch or update. No functionality is impacted by this issue. This issue will be resolved with the release of the first patch for vSphere 6.7.

Workaround: None. No functionality is impacted by this issue.

Virtual Machine Management Issues

Name of the virtual machine in the inventory changes to its path name
This issue might occur when a datastore where the VM resides enters the All Paths Down state and becomes inaccessible. When hostd is loading or reloading VM state, it is unable to read the VM's name and returns the VM path instead. For example, /vmfs/volumes/123456xxxxxxcc/cs-00.111.222.333.

Workaround: After you resolve the storage issue, the virtual machine reloads, and its name is displayed again.
You must select the "Secure boot" Platform Security Level when enabling VBS in a Guest OS on AMD systems
On AMD systems, vSphere virtual machines do not provide a vIOMMU. Since vIOMMU is required for DMA protection, AMD users cannot select "Secure Boot and DMA protection" in the Windows Group Policy Editor when they "Turn on Virtualization Based Security". Instead select "Secure boot." If you select the wrong option it will cause VBS services to be silently disabled by Windows.

Workaround: Select "Secure boot" Platform Security Level in a Guest OS on AMD systems.
You cannot hot add memory and CPU for Windows VMs when Virtualization Based Security (VBS) is enabled within Windows
Virtualization Based Security (VBS) is a new feature introduced in Windows 10 and Windows Server 2016. vSphere supports running Windows with VBS enabled starting in the vSphere 6.7 release. However, Hot add of memory and CPU will not operate for Windows VMs when Virtualization Based Security (VBS) is enabled.

Workaround: Power-off the VM, change memory or CPU settings and power-on the VM.
Snapshot tree of a linked-clone VM might be incomplete after a vSAN network recovery from a failure
A vSAN network failure might impact accessibility of vSAN objects and VMs. After a network recovery, the vSAN objects regain accessibility. The hostd service reloads the VM state from storage to recover VMs. However, for a linked-clone VM, hostd might not detect that the parent VM namespace has recovered its accessibility. This results in the VM remaining in inaccessible state and VM snapshot information not being displayed in vCenter Server.

Workaround: Unregister the VM, then re-register it to force the hostd to reload the VM state. Snapshot information will be loaded from storage.
An OVF Virtual Appliance fails to start in the vSphere Client
The vSphere Client does not support selecting vService extensions in the Deploy OVF Template wizard. As a result, if an OVF virtual appliance uses vService extensions and you use the vSphere Client to deploy the OVF file, the deployment succeeds, but the virtual appliance fails to start.

Workaround: Use the vSphere Web Client to deploy OVF virtual appliances that use vService extensions.

vSphere HA and Fault Tolerance Issues

When you configure Proactive HA in Manual/MixedMode in vSphere 6.7 RC build you are prompted twice to apply DRS recommendations
When you configure Proactive HA in Manual/MixedMode in vSphere 6.7 RC build and a red health update is sent from the Proactive HA provider plug-in, you are prompted twice to apply the recommendations under Cluster -> Monitor -> vSphere DRS -> Recommendations. The first prompt is to enter the host into maintenance mode. The second prompt is to migrate all VMs on a host entering maintenance mode. In vSphere 6.5, these two steps are presented as a single recommendation for entering maintenance mode, which lists all VMs to be migrated.

Workaround: There is no impact to work flow or results. You must apply the recommendations twice. If you are using automated scripts, you must modify the scripts to include the additional step.
Lazy import upgrade interaction when VCHA is not configured
The VCHA feature is available as part of 6.5 release. As of 6.5, a VCHA cluster cannot be upgraded while preserving the VCHA configuration. The recommended approach for upgrade is to first remove the VCHA configuration either through vSphere Client or by calling a destroy VCHA API. So for lazy import upgrade workflow without VCHA configuration, there is no interaction with VCHA.

Do not configure a fresh VCHA setup while lazy import is in progress. The VCHA setup requires cloning the Active VM as Passive/Witness VM. As a result of an ongoing lazy import, the amount of data that needs to be cloned is large and may lead to performance issues.

Workaround: None.

Auto Deploy and Image Builder Issues

Reboot of an ESXi stateless host resets the numRxQueue value of the host
When an ESXi host provisioned with vSphere Auto Deploy reboots, it loses the previously set numRxQueue value. The Host Profiles feature does not support saving the numRxQueue value after the host reboots.

Workaround: After the ESXi stateless host reboots:
1. Remove the vmknic from the host.
2. Create a vmknic on the host with the expected numRxQueue value.
After caching on a drive, if the server is in the UEFI mode, a boot from cache does not succeed unless you explicitly select the device to boot from the UEFI boot manager
In case of Stateless Caching, after the ESXi image is cached on a 512n, 512e, USB, or 4Kn target disk, the ESXi stateless boot from autodeploy might fail on a system reboot. This occurs if autodeploy service is down.

The system attempts to search for the cached ESXi image on the disk, next in the boot order. If the ESXi cached image is found, the host is booted from it. In legacy BIOS, this feature works without problems. However, in the UEFI mode of the BIOS, the next device with the cached image might not be found. As a result, the host cannot boot from the image even if the image is present on the disk.

Workaround: If autodeploy service is down, on the system reboot, manually select the disk with the cached image from the UEFI Boot Manager.
A stateless ESXi host boot time might take 20 minutes or more
The booting of a stateless ESXi host with 1,000 configured datastores might require 20 minutes or more.

Workaround: None.

Miscellaneous Issues

ESXi might fail during reboot with VMs running on the iSCSI LUNs claimed by the qfle3i driver
ESXi might fail during reboot with VMs running on the iSCSI LUNs claimed by the qfle3i driver if you attempt to reboot the server with VMs in the running I/O state.

Workaround: First power off VMs and then reboot the ESXi host.
VXLAN stateless hardware offloads are not supported with Guest OS TCP traffic over IPv6 on UCS VIC 13xx adapters
You may experience issues with VXLAN encapsulated TCP traffic over IPv6 on Cisco UCS VIC 13xx adapters configured to use the VXLAN stateless hardware offload feature. For VXLAN deployments involving Guest OS TCP traffic over IPV6, TCP packets subject to TSO are not processed correctly by the Cisco UCS VIC 13xx adapters, which causes traffic disruption. The stateless offloads are not performed correctly. From a TCP protocol standpoint this may cause incorrect packet checksums being reported to the ESXi software stack, which may lead to incorrect TCP protocol processing in the Guest OS.

Workaround: To resolve this issue, disable the VXLAN stateless offload feature on the Cisco UCS VIC 13xx adapters for VXLAN encapsulated TCP traffic over IPV6. To disable the VXLAN stateless offload feature in UCS Manager, disable the Virtual Extensible LAN field in the Ethernet Adapter Policy. To disable the VXLAN stateless offload feature in the CIMC of a Cisco C-Series UCS server, uncheck Enable VXLAN field in the Ethernet Interfaces vNIC properties section.
Significant time might be required to list a large number of unresolved VMFS volumes using the batch QueryUnresolvedVmfsVolume API
ESXi provides the batch QueryUnresolvedVmfsVolume API, so that you can query and list unresolved VMFS volumes or LUN snapshots. You can then use other batch APIs to perform operations, such as resignaturing specific unresolved VMFS volumes. By default, when the API QueryUnresolvedVmfsVolume is invoked on a host, the system performs an additional filesystem liveness check for all unresolved volumes that are found. The liveness check detects whether the specified LUN is mounted on other hosts, whether an active VMFS heartbeat is in progress, or if there is any filesystem activity. This operation is time consuming and requires at least 16 seconds per LUN. As a result, when your environment has a large number of snapshot LUNs, the query and listing operation might take significant time.

Workaround: To decrease the time of the query operation, you can disable the filesystem liveness check.
1. Log in to your host as root.
2. Open the configuration file for hostd using a text editor. The configuration file is located in /etc/vmware/hostd/config.xml under plugins/hostsvc/storage node.
3. Add the checkLiveFSUnresolvedVolume parameter and set its value to FALSE. Use the following syntax:
  <checkLiveFSUnresolvedVolume>FALSE</checkLiveFSUnresolvedVolume>
As an alternative, you can set the ESXi Advanced option VMFS.UnresolvedVolumeLiveCheck to FALSE in the vSphere Client.
Compliance check fails with an error for the UserVars.ESXiVPsDisabledProtocols option when an ESXi host upgraded to version 6.7 is attached to a host profile with version 6.0
Issue occurs when you perform the following actions:
1. Extract a host profile from an ESXi host with version 6.0.
2. Upgrade the ESXi host to version 6.7.
3. The host appears as non-compliant for UserVars.ESXiVPsDisabledProtocols option even after remediation.
Workaround:
- Extract a new host profile from the upgraded ESXi host and attach the host to the profile.
- Upgrade the host profile by using the Copy Settings from Host from the upgraded ESXi host.
After upgrade to ESXi 6.7, networking workloads on Intel 10GbE NICs cause higher CPU utilization
If you run certain types of networking workloads on an upgraded ESXi 6.7 host, you might see a higher CPU utilization under the following conditions:
- The NICs on the ESXi host are from the Intel 82599EB or X540 families
- The workload involves multiple VMs that run simultaneously and each VM is configured with multiple vCPUs
- Before the upgrade to ESXi 6.7, the VMKLinux ixgbe driver was used
Workaround: Revert to the legacy VMKLinux ixgbe driver:
1. Connect to the ESXi host and run the following command:
  # esxcli system module set -e false -m ixgben
2. Reboot the host.
Note: The legacy VMKLinux ixgbe inbox driver version 3.7.x does not support Intel X550 NICs. Use the VMKLinux ixgbe async driver version 4.x with Intel X550 NICs.
Unable to unstage patches when using an external Platform Services Controller
If you are patching an external Platform Services Controller (an MxN topology) using the VMWare Appliance Management Interface with patches staged to an update repository, and then attempt to unstage the patches, the following error message is reported: Error in method invocation [Errno 2] No such file or directory: '/storage/core/software-update/stage'

Workaround:
1. Access the appliance shell and log in as a user who has a super administrator role.
2. Run the command software-packages unstage to unstage the staged patches. All directories and files generated by the staging process are removed.
3. Refresh the VMware Appliance Management Interface, which will now report the patches as being removed.
Initial install of DELL CIM VIB might fail to respond
After you install a third-party CIM VIB it might fail to respond.

Workaround: To fix this issue, enter the following two commands to restart sfcbd:
1. esxcli system wbem set --enable false
2. esxcli system wbem set --enable true

To collapse the list of previous known issues, click here.