times

ESXi 7.0 Update 3l | MAR 30 2023 | ISO Build 21424296

Check for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

What's New
Earlier Releases of ESXi 7.0
Patches Contained in this Release
Product Support Notices
Resolved Issues
Known Issues
Known Issues from Previous Releases

IMPORTANT: If your source system contains hosts of versions between ESXi 7.0 Update 2 and Update 3c, and Intel drivers, before upgrading to ESXi 7.0 Update 3l, see the What's New section of the VMware vCenter Server 7.0 Update 3c Release Notes, because all content in the section is also applicable for vSphere 7.0 Update 3l. Also, see the related VMware knowledge base articles: 86447, 87258, and 87308.

What's New

ESXi 7.0 Update 3l supports vSphere Quick Boot on the following servers:
- HPE
  - Cray XD225v
  - Cray XD295v
  - ProLiant DL325 Gen11
  - ProLiant DL345 Gen11
  - ProLiant DL365 Gen11
  - ProLiant DL385 Gen11
  - Synergy 480 Gen11
- Dell
  - PowerEdge C6620
  - PowerEdge MX760c
  - PowerEdge R660
  - PowerEdge R6615
  - PowerEdge R6625
  - PowerEdge R760
  - PowerEdge R7615
  - PowerEdge R7625
This release resolves CVE-2023-1017. VMware has evaluated the severity of this issue to be in the low severity range with a maximum CVSSv3 base score of 3.3.
This release resolves CVE-2023-1018. VMware has evaluated the severity of this issue to be in the low severity range with a maximum CVSSv3 base score of 3.3.

Earlier Releases of ESXi 7.0

New features, resolved, and known issues of ESXi are described in the release notes for each release. Release notes for earlier releases of ESXi 7.0 are:

For internationalization, compatibility, and open source components, see the VMware vSphere 7.0 Release Notes.

Patches Contained in This Release

This release of ESXi 7.0 Update 3l delivers the following patches:

Build Details

Download Filename:	VMware-ESXi-7.0U3l-21424296-depot
Build:	21424296
Download Size:	570.6 MB
md5sum:	bc8be7994ff95cf45e218f19eb38a4f1
sha256checksum:	a85acc0fab15d5c2744e6b697817961fde3979eddfc4dd1af07c83731f2f87cf
Host Reboot Required:	Yes
Virtual Machine Migration or Shutdown Required:	Yes

Components

Component	Bulletin	Category	Severity
ESXi Component - core ESXi VIBs	ESXi_7.0.3-0.85.21424296	Bugfix	Critical
ESXi Install/Upgrade Component	esx-update_7.0.3-0.85.21424296	Bugfix	Critical
Broadcom NetXtreme I ESX VMKAPI ethernet driver	Broadcom-ntg3_4.1.9.0-4vmw.703.0.85.21424296	Bugfix	Critical
Non-Volatile memory controller driver	VMware-NVMe-PCIe_1.2.3.16-2vmw.703.0.85.21424296	Bugfix	Critical
USB Native Driver for VMware	VMware-vmkusb_0.1-8vmw.703.0.85.21424296	Bugfix	Critical
ESXi Component - core ESXi VIBs	ESXi_7.0.3-0.80.21422485	Security	Critical
ESXi Install/Upgrade Component	esx-update_7.0.3-0.80.21422485	Security	Critical
ESXi Tools Component	VMware-VM-Tools_12.1.5.20735119-21422485	Security	Critical

IMPORTANT:

Starting with vSphere 7.0, VMware uses components for packaging VIBs along with bulletins. The ESXi and esx-update bulletins are dependent on each other. Always include both in a single ESXi host patch baseline or include the rollup bulletin in the baseline to avoid failure during host patching.
When patching ESXi hosts by using VMware Update Manager from a version prior to ESXi 7.0 Update 2, it is strongly recommended to use the rollup bulletin in the patch baseline. If you cannot use the rollup bulletin, be sure to include all of the following packages in the patching baseline. If the following packages are not included in the baseline, the update operation fails:
- VMware-vmkusb_0.1-1vmw.701.0.0.16850804 or higher
- VMware-vmkata_0.1-1vmw.701.0.0.16850804 or higher
- VMware-vmkfcoe_1.0.0.2-1vmw.701.0.0.16850804 or higher
- VMware-NVMeoF-RDMA_1.0.1.2-1vmw.701.0.0.16850804 or higher

Rollup Bulletin

This rollup bulletin contains the latest VIBs with all the fixes after the initial release of ESXi 7.0.

Bulletin ID	Category	Severity	Details
ESXi70U3l-21424296	Bugfix	Critical	Security and Bugfix
ESXi70U3sl-21422485	Security	Critical	Security only

Image Profiles

VMware patch and update releases contain general and critical image profiles. Application of the general release image profile applies to new bug fixes.

Image Profile Name

ESXi-7.0U3l-21424296-standard

ESXi-7.0U3l-21424296-no-tools

ESXi-7.0U3sl-21422485-standard

ESXi-7.0U3sl-21422485-no-tools

ESXi Image

Name and Version	Release Date	Category	Detail
ESXi7.0U3l - 21424296	MAR 30 2023	Bugfix	Security and Bugfix image
ESXi7.0U3sl - 21422485	MAR 30 2023	Security	Security only image

For information about the individual components and bulletins, see the Product Patches page and the Resolved Issues section.

Patch Download and Installation

In vSphere 7.x, the Update Manager plug-in, used for administering vSphere Update Manager, is replaced with the Lifecycle Manager plug-in. Administrative operations for vSphere Update Manager are still available under the Lifecycle Manager plug-in, along with new capabilities for vSphere Lifecycle Manager.
The typical way to apply patches to ESXi 7.x hosts is by using the vSphere Lifecycle Manager. For details, see About vSphere Lifecycle Manager and vSphere Lifecycle Manager Baselines and Images.
You can also update ESXi hosts without using the Lifecycle Manager plug-in, and use an image profile instead. To do this, you must manually download the patch offline bundle ZIP file from VMware Customer Connect. From the Select a Product drop-down menu, select ESXi (Embedded and Installable) and from the Select a Version drop-down menu, select 7.0. For more information, see the Upgrading Hosts by Using ESXCLI Commands and the VMware ESXi Upgrade guide.

Product Support Notices

Restoring Memory Snapshots of a VM with independent disk for virtual machine backups is not supported: You can take a memory snapshot of a virtual machine with an independent disk only to analyze the guest operating system behavior of a virtual machine. You cannot use such snapshots for virtual machine backups because restoring this type of snapshots is unsupported. You can convert a memory snapshot to a powered-off snapshot, which can be successfully restored.

Resolved Issues

The resolved issues are grouped as follows.

ESXi_7.0.3-0.85.21424296
esx-update_7.0.3-0.85.21424296
Broadcom-ntg3_4.1.9.0-4vmw.703.0.85.21424296
VMware-vmkusb_0.1-8vmw.703.0.85.21424296
VMware-NVMe-PCIe_1.2.3.16-2vmw.703.0.85.21424296
ESXi_7.0.3-0.80.21422485
esx-update_7.0.3-0.80.21422485
VMware-VM-Tools_12.1.5.20735119-21422485
ESXi-7.0U3l-21424296-standard
ESXi-7.0U3l-21424296-no-tools
ESXi-7.0U3l-21422485-standard
ESXi-7.0U3l-21422485-no-tools
ESXi70U3l-21424296
ESXi70U3sl-21422485

ESXi_7.0.3-0.85.21424296

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs Included	VMware_bootbank_esx-dvfilter-generic-fastpath_7.0.3-0.85.21424296 VMware_bootbank_vsan_7.0.3-0.85.21424296 VMware_bootbank_bmcal_7.0.3-0.85.21424296 VMware_bootbank_crx_7.0.3-0.85.21424296 VMware_bootbank_esx-ui_2.9.2-21141530 VMware_bootbank_esxio-combiner_7.0.3-0.85.21424296 VMware_bootbank_vsanhealth_7.0.3-0.85.21424296 VMware_bootbank_native-misc-drivers_7.0.3-0.85.21424296 VMware_bootbank_gc_7.0.3-0.85.21424296 VMware_bootbank_cpu-microcode_7.0.3-0.85.21424296 VMware_bootbank_vdfs_7.0.3-0.85.21424296 VMware_bootbank_esx-xserver_7.0.3-0.85.21424296 VMware_bootbank_esx-base_7.0.3-0.85.21424296 VMware_bootbank_trx_7.0.3-0.85.21424296
PRs Fixed	3057026, 3062185, 3040049, 3061156, 3023389, 3062861, 3089449, 3081870, 3082900, 3033157, 3090683, 3075786, 3074392, 3081275, 3080022, 3083314, 3084812, 3074360, 3092270, 3076977, 3051685, 3082477, 3082282, 3082427, 3077163, 3087219, 3074187, 3082431, 3050562, 3072430, 3077072, 3077060, 3046875, 3082991, 3083473, 3051059, 3091256, 3074912, 3058993, 3063987, 3072500, 3060661, 3076188, 3049652, 2902475, 3087946, 3116848, 3010502, 3118090, 3078875, 3069298, 3074121
CVE numbers	CVE-2023-1017, CVE-2023-1018

The ESXi and esx-update bulletins are dependent on each other. Always include both in a single ESXi host patch baseline or include the rollup bulletin in the baseline to avoid failure during host patching.

Updates the esx-dvfilter-generic-fastpath, vsan, bmcal, crx, esx-ui, esxio-combiner, vsanhealth, native-misc-drivers, gc, cpu-microcode, vdfs, esx-xserver, esx-base, and trx VIBs to resolve the following issues:

PR 3057026: When you change the NUMA nodes Per Socket (NPS) setting on an AMD EPYC 9004 'Genoa' server from the default of 1, you might see incorrect number of sockets
In the vSphere Client and the ESXi Host Client, you might see incorrect number of sockets and respectively cores per socket when you change the NPS setting on an AMD EPYC 9004 server from the default of 1, or Auto, to another value, such as 2 or 4.

This issue is resolved in this release.
PR 3062185: ESXi hosts might fail with a purple diagnostic screen during a vSphere Storage vMotion operation or hot-adding a device
Due to a rare race condition during a Fast Suspend Resume (FSR) operation on a VM with shared pages between VMs, ESXi hosts might fail with a purple diagnostic screen with an error such as PFrame_IsBackedByLPage in the backtrace. The issue occurs during vSphere Storage vMotion operations or hot-adding a device.

This issue is resolved in this release.
PR 3040049: The performance of the pktcap-uw utility degrades when using the -c option for counting packets in heavy network traffic
Packet capture with the -c option of the pktcap-uw utlity in heavy network traffic might be slower than packet capture without the option. You might also see a delay in capturing packets, so that the last package counted has a timestap few seconds earlier than the stop time of the function. The issue results from the File_GetSize function to check file sizes, which is slow in VMFS environments and causes low performance of pktcap-uw.

This issue is resolved in this release. The fix changes the File_GetSize function with the lseek function to enhance performance.
PR 3061156: The Data Center Bridging (DCB) daemon on an ESXi host might generate a log spew in the syslog
In the syslog file you might see frequent log messages such as:
2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] *** Received pre-CEE DCBX Packet on port: vmnicX
2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info]2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] Src MAC: xc:xc:X0:0X:xc:xx
2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] Dest MAC: X0:xb:xb:fx:0X:X1
2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] 2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] Port ID TLV:
2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] ifName:

The issue occurs because the Data Center Bridging (DCB) daemon, dcbd, on the ESXi host records unnecessary messages at /var/log/syslog.log. As a result, the log file might quickly fill up with dcbd logs.

This issue is resolved in this release.
PR 3023389: You see up to 100% CPU usage on one of the cores of an ESXi host due to an early timed-wait system call
In some cases, a timed-wait system call in the VMkernel might return too early. As a result, some applications, such as the System Health Agent, might take up to 100% of the CPU usage on one of the ESXi host cores.

This issue is resolved in this release.
PR 3062861: You do not see virtual machine image details in the Summary tab of the vSphere Client
Due to an issue with the IPv6 loopback interfaces, you might not see virtual machine image details in the Summary tab of the vSphere Client.

This issue is resolved in this release.
PR 3089449: If the number of paths from an ESXi host using SATP ALUA to storage exceeds 255, you might see I/O latency in some VMs
If the number of paths from an ESXi host using NMP SATP ALUA to storage exceed 255, ESXi ignores part of the ALUA information reported by the target and incorrectly retains some of the path state as active optimised. As a result, some I/Os use the non-optimised path to the storage device and cause latency issues..

This issue is resolved in this release. The fix makes sure that when RTPG response length is greater than pre-allocated buffer length, ESXi reallocates RTPG buffer with the required size and re-issues the RTPG command.
PR 3081870: ESXi host reboot process stops with “initializing init_VMKernelShutdownHelper: (14/39) ShutdownSCSICleanupForDevTearDown” message
In some cases, during an ESXi host shutdown, helper queues of device probe requests get deleted, but the reference to the device remains. As a result, the ESXi host reboot stops with a message such as initializing init_VMKernelShutdownHelper: (14/39) ShutdownSCSICleanupForDevTearDown in the Direct Console User Interface (DCUI).

This issue is resolved in this release. The fix adds a cancel function associated with helper requests that decrement device references when deleting helper queue requests.
PR 3082900: ESXi hosts might fail with a purple diagnostic screen during a VM Instant Clone operation
Due to a race condition during an Instant Clone operation, VM memory pages might be corrupted and the ESXi host might fail with a purple diagnostic screen. You see errors such as VmMemMigrate_MarkPagesCow or AsyncRemapProcessVMRemapList in the backtrace.

This issue is resolved in this release.
PR 3033157: Storage failover might take long as repeated scans may be required to bring all paths to a LUN online
In some environments with SATP plug-ins such as satp_alua and satp_alua_cx, bringing all paths to a LUN online might require several scans. As a result, a storage failover operation might take long. For example, with 4 paths to a LUN, it might take up to 20 minutes to bring the 4 paths online.

This issue is resolved in this release.
PR 3090683: Virtual machine vSphere tags might be lost after vSphere vMotion operations across vCenter Server instances
After vSphere vMotion operations across vCenter Server instances for VMs that have vSphere tags, it is possible that the tags do not exist in the target location. The issue only occurs in migration operations between vCenter Server instances that do not share storage.

This issue is resolved in this release.
PR 3075786: The multicast filter mode of an NSX Virtual Switch might intermittently revert from legacy to snooping
When you set the multicast filter mode of an NSX Virtual Switch for NVDS, the mode might intermittently revert from legacy to snooping.

This issue is resolved in this release. If you already face the issue, clear the stale property on the NVDS by completing the following steps:
1. Run the net-dvs command on the ESXi host and check if com.vmware.etherswitch.multicastFilter is set on the NVDS. If com.vmware.etherswitch.multicastFilter is not set, no additional steps are required.
2. If the property com.vmware.etherswitch.multicastFilter is set, use the following command to clear it:
  net-dvs -u com.vmware.etherswitch.multicastFilter -p globalPropList <NVDS name>
PR 3074392: IOFilterVP service stops when you run a Nessus scan on an ESXi host
When you run a Nessus scan, which internally runs a SYN scan, to detect active ports on an ESXi host, the iofiltervpd service might shut down. The service cannot be restarted within the max retry attempts due to the SYN scan.

This issue is resolved in this release. The fix makes sure the IOFilterVP service handles the possible connection failure due to SYN scans.
PR 3081275: You see no change in the ESXi config after you run a restore config procedure and the ESXi host reboots
If a VIB containing a new kernel module is installed before you run any of the restore config procedures described in VMware knowledge base article 2042141, you see no change in the config after the ESXi host reboots. For example, if you attempt to restore the ESXi config immediately after installing the NSX VIB, the ESXi host reboots, but no changes in the config are visible. The issue occurs due to a logical fault in the updates of the bootbank partition used for ESXi host reboots after a new kernel module VIB is installed.

This issue is resolved in this release.
PR 3080022: Listing files on mounted NFS 4.1 Azure storage might not work as expected
Listing files of mounted NFS 4.1 Azure storage might not work as expected, because although the files exist and you can open them by name, the ls command on an ESXi host by using SSH does not show any files.

This issue is resolved in this release.
PR 3083314: Network File Copy (NFC) properties in the vpxa.cfg file might cause an ESXi host to fail with a purple diagnostic screen during upgrade
Starting with ESXi 7.0 Update 1, the vpxa.cfg file no longer exists and the vpxa configuration belongs to the ESXi Configuration Store (ConfigStore). When you upgrade an ESXi host from a version earlier than 7.0 Update 1 to a later version, the fields Vpx.Vpxa.config.nfc.loglevel and Vpx.Vpxa.config.httpNfc.accessMode in the vpxa.cfg file might cause the ESXi host to fail with a purple diagnostic screen during the conversion from vpxa.cfg format to ConfigStore format. The issue occurs due to discrepancies in the NFC log level between vpxa.cfg and ConfigStore, and case-sensitive values.

This issue is resolved in this release. The fix removes the strict case-sensitive rules and maps NFC log level with their ConfigStore equivalents. For more information, see VMware knowledge base article 90865.
PR 3084812: Virtual machines might take longer to respond or become temporary unresponsive when vSphere DRS triggers multiple migration operations
In rare cases, multiple concurrent open and close operations on datastores, for example when vSphere DRS triggers multiple migration tasks, might cause some VMs to take longer to complete in-flight disk I/Os. As a result, such virtual machines might take longer to respond or become unresponsive for a short time. The issue is more likely to occur on VMs that have multiple virtual disks over different datastores.

This issue is resolved in this release.
PR 3074360: After an API call to reload a virtual machine, the VM virtual NIC might disconnect from a Logical Switch Port (LSP)
During an API call to reload a virtual machine from one ESXi host to another, the externalId in the VM port data file might be lost. As a result, after the VM reloads, the VM virtual NIC might not be able to connect to a LSP.

This issue is resolved in this release.
PR 3092270: VMware Host Client fails to attach an existing virtual disk to a virtual machine
After upgrading to ESXi 7.0 Update 3i, you might not be able to attach an existing virtual machine disk (VMDK) to a VM by using the VMware Host Client, which is used to connect to and manage single ESXi hosts. The issue does not affect the vSphere Client.

This issue is resolved in this release.
PR 3076977: ESXi host might fail with a purple diagnostic screen due to a rare issue with dereferencing a freed pointer
Due to a race condition between the Create and Delete resource pool workflows, a freed pointer in the VMFS resource pool cache might get dereferenced. As a result, ESXi hosts might fail with a purple diagnostic screen and error such as:
@BlueScreen: #PF Exception 14 in world 2105491:res3HelperQu IP 0x420032a21f55 addr 0x0

This issue is resolved in this release.
PR 3051685: The batch QueryUnresolvedVmfsVolume API might take long to list a large number of unresolved VMFS volumes
With the batch QueryUnresolvedVmfsVolume API, you can query and list unresolved VMFS volumes or LUN snapshots. You can then use other batch APIs to perform operations, such as re-signaturing specific unresolved VMFS volumes. By default, when the API QueryUnresolvedVmfsVolume is invoked on a host, the system performs an additional filesystem liveness check for all unresolved volumes that are found. The liveness check detects whether the specified LUN is mounted on other hosts, whether an active VMFS heartbeat is in progress, or if there is any filesystem activity. This operation is time consuming and requires at least 16 seconds per LUN. As a result, when your environment has a large number of snapshot LUNs, the query and listing operation might take significant time.

This issue is resolved in this release.
PR 3082477: vSAN cluster shutdown fails with error: 'NoneType' object has no attribute '_moId'
This problem can occur when vCenter manages multiple clusters, and the vCenter VM runs on one of the clusters. If you shut down the cluster where the vCenter VM resides, the following error can occur during the shutdown operation: 'NoneType' object has no attribute '_moId'. The vCenter VM is not powered off.

This issue is resolved in this release.
PR 3082282: You do not see the Restart Cluster option in the vSphere Client after shutting down multiple vSAN clusters
This problem can occur when vCenter manages multiple clusters and runs several shut down and restart cluster operations in parallel. For example, if you shut down 3 clusters and restart the vSAN health service or the vCenter VM, and you restart one of the 3 clusters before the others, the Restart Cluster option might be available for the first vSAN cluster, but not for the other clusters.

This issue is resolved in this release.
PR 3082427: You see an unexpected time drift alert on vSAN clusters managed by the same vCenter Server
Unexpected time drift can occur intermittently on a vSAN cluster when a single vCenter Server manages several vSAN clusters, due to internal delays in VPXA requests. In the vSphere Client, in the vSAN Health tab, you see the status of Time is synchronized across hosts and VC changing from green to yellow and back to green.

This issue is resolved in this release.
PR 3077163: When the ToolsRamdisk advanced option is active on an ESXi host, after a VM Tools upgrade, new versions are not available for VMs
When you enable the ToolsRamdisk advanced option that makes sure the /vmtools partition is always on a RAM disk rather than on a USB or SD-card, installing or updating the tools-light VIB does not update the content of the RAM disk automatically. Instead, you must reboot the host so that the RAM disk updates and the new VM Tools version is available for the VMs.

This issue is resolved in this release. The fix makes sure that when ToolsRamdisk is enabled, VM Tools updates automatically, without the need of manual steps or restart.
PR 3087219: ESXi hosts might fail with a purple diagnostic screen after a migration operation
A rare race condition caused by memory reclamation for some performance optimization processes in vSphere vMotion might cause ESXi hosts to fail with a purple diagnostic screen.

This issue is resolved in this release.
PR 3074187: ESXi hosts randomly fail with a purple diagnostic screen and an error such as Exception 14 in world #######
If your environment has both small and large file block clusters mapped to one affinity rule, when you add a cluster, the Affinity Manager might allocate more blocks for files than the actual volume of the datastore. As a result, ESXi hosts randomly fail with a purple diagnostic screen with error Exception 14 in world #######.

This issue is resolved in this release.
PR 3082431: vSAN health history has no data available for the selected time period
This issue occurs when you view health details of any health check in the history view. In the vSphere Client, in the Skyline Health tab, you see a message such as No data available for the selected time period. The issue occurs when a query to the historical health records fails due to timestamps with an incorrect time zone.

This issue is resolved in this release.
PR 3050562: You might see incorrect facility and severity values in ESXi syslog log messages
The logger command of some logger clients might not pass the right facility code to the ESXi syslog daemon and cause incorrect facility or severity values in ESXi syslog log messages.

This issue is resolved in this release.
PR 3072430: A rare race condition in the Logical Volume Manager (LVM) schedule queue might cause an ESXi host to fail with a purple diagnostic screen
In rare cases, in a heavy workload, two LVM tasks that perform updating and querying on the device schedule in an ESXi host might run in parallel and cause a synchronization issue. As a result, the ESXi host might fail with a purple diagnostic screen and a messages similar to [email protected]#nover+0x1018 stack: 0xXXXXX and Addr3ResolvePhysVector@esx#nover+0x68 stack: 0xXXXX in the backtrace.

This issue is resolved in this release.
PR 3077072: When an ESXi host boots, some dynamically discovered iSCSI target portals and iSCSI LUNs might get deleted
In some cases, while an ESXi host boots, some dynamically discovered iSCSI targets might get deleted. As a result, after the boot completes, you might no longer see some iSCSI LUNs. The issue is more likely to occur in environments with Challenge-Handshake Authentication Protocol
(CHAP) enabled for iSCSI.

This issue is resolved in this release.
PR 3077060: The VMware Host Client or vSphere Client intermittently stop displaying software iSCSI adapters
In busy environments with many rescans by using a software iSCSI adapter, the VMware Host Client might intermittently stop displaying the adapter. The issue occurs only with target arrays which return target portals with both IPv4 and IPv6 addresses during discovery by using the SendTargets method.

This issue is resolved in this release.
PR 3046875: Disabling Storage I/O Control on datastores results in high read I/O on all ESXi hosts
A rare issue with calculating the Max Queue Depth per datastore device might cause queue depth mismatch warnings from the underlying SCSI layer. As a result, when you disable Storage I/O Control on datastores, you might see high read I/O on all ESXi hosts.

This issue is resolved in this release.
PR 3082991: After an upgrade to ESXi 7.0 Update 3 and later, you might see multiple -1.log files to fill up the root directory
Due to missing configuration for stats-log in the file /etc/vmware/vvold/config.xml, you might see multiple -1.log files to fill up the /ramdisk partition after an upgrade to ESXi 7.0 Update 3 and later.

This issue is resolved in this release.
PR 3083473: Username or password in proxy cannot include an escape character
If a username or password in a network proxy contains any escape character, the environment fails to send network requests through the proxy.

This issue is resolved in this release. The fix makes sure username or password work fine even with non-escaped characters.
PR 3051059: The command esxcli system ntp test fails to resolve the IP of an NTP server configured with additional parameters along with the host name
If you configure an NTP server on an ESXi host with additional parameters along with hostname, such as min_poll or max_poll, the command esxcli system ntp test might fail to resolve the IP address of that server. This issue occurs because in such configurations, the NTP name resolution applies to the entire server config instead of just the host name.

This issue is resolved in this release.
PR 3091256: After upgrade to ESXi 7.0 Update 2 and later, VMs might not be able to communicate properly with some USB devices attached to the VMs
After upgrading to ESXi 7.0 Update 2 and later, a virtual machine might not discover some USB devices attached to it, such as an Eaton USB UPS, and fail to communicate with the device properly.

This issue is resolved in this release.
PR 3074912: If you change the datastore of a cloned virtual machine before the initial power on, guest OS customizations might be lost
If you clone a VM, including the guest customization specs, move the VMDK file to another datastore and make it thick provisioned, and then power on the VM, the guest OS customization might not be preserved. In the hostd logs, you see an Event Type Description such as The customization component failed to set the required parameters inside the guest operating system.
The issue occurs because while moving the VMDK file of the cloned VM to another datastore, the new pathName for the guest OS customization might temporarily be the same as the oldPathName and the package gets deleted.

This issue is resolved in this release.
PR 3058993: Virtual machine-related tasks might fail when you use vSphere APIs for I/O Filtering (VAIO) for VMware or third-party backup applications
Improper sizing of the resource needs for the hostd service on an ESXi host might cause some virtual machine-related tasks to fail when you use vSphere APIs for I/O Filtering (VAIO) for VMware or third-party backup applications. For example, when a VAIO filter is attached to one or more virtual disks of a virtual machine, such VMs might fail to perform backups or power-on after a backup.

This issue is resolved in this release. The fix increases the number of threads to prevent I/O-related issues with the hostd resources on ESXi hosts.
PR 3063987: First Class Disk (FCD) sync might fail on NFSv3 datastores and you see inconsistent values in Govc reports
A rare file corruption issue might occur when multiple ESXi hosts do a simultaneous file append operation on an NFSv3 datastore. As a result, if you use the Govc open source command-line utility to perform administrative actions on a vCenter instance, you might see reports with inconsistent values. For example, if you run the command govc disk.ls to list all FCDs in a newly created datastore, you see a different number of disks from what you expect.

This issue is resolved in this release.
PR 3072500: ESXi hosts intermittently fail with a purple diagnostic screen and an error VERIFY bora/vmkernel/sched/cpusched.c
In rare cases, when a VMFS volume is closed immediately after it is opened, one of the threads in the opening process might race with a thread in the closing process and take a rare error handling path that can exit without unlocking a locked spinlock. As a result, the ESXi host might fail with a purple diagnostic screen with a message in the backtrace such as: @BlueScreen: VERIFY bora/vmkernel/sched/cpusched.c:11154.

This issue is resolved in this release.
PR 3060661: Windows Server Failover Cluster (WSFC) applications might lose connectivity to a virtual volume-based disk after initiating a rebind operation on that disk
Due to reservation conflicts, WSFC applications might lose connectivity to a virtual volume-based disk after a rebind operation on that disk.

This issue is resolved in this release.
PR 3076188: vSphere HA might not work as expected on a vSAN datastore after a power outage
In rare situations, the management agent that vSphere HA deploys on ESXi hosts, Fault Domain Manager (FDM), might fail to acquire a vSAN datastore in the first attempt before an exceptional condition, such as power outage, occurs. As a result, vSphere HA failover for virtual machines on that datastore might not be successful. In the vSphere Client, you see a message such as This virtual machine failed to become vSphere HA Protected and HA may not attempt to restart it after a failure. Successive attempts of FDM to acquire the vSAN datastore might also fail.

This issue is resolved in this release. The fix makes sure that the successive attempts to acquire a vSAN datastore after an exceptional condition succeed.
PR 3049652: The Power|Total Energy (Wh) metric from the sustainability metrics in VMware vRealize Operations might display in wrong units
In the sustainability metrics in VMware vRealize Operations, you might see the value of Power|Total Energy (Wh) per virtual machine higher than the ESXi host on which the VM is hosted. The issue occurs because after measuring the total energy consumed by the VM, the power.energy performance counter is calculated and reported in millijoules instead of joules.

This issue is resolved in this release.
PR 2902475: Windows virtual machines of hardware version 19 that have Virtualization-Based Security (VBS) enabled might fail with a blue diagnostic screen on ESXi hosts running on AMD processors
In ESXi hosts running on AMD processors, Windows virtual machines of hardware version 19 with VBS enabled might fail with a blue diagnostic screen due to a processor mode misconfiguration error. In the vmware.log file, you see errors such as vcpu-0 - WinBSOD: Synthetic MSR[0xx0000x00] 0xxxx.

This issue is resolved in this release.
PR 3087946: vSphere Lifecycle Manager compliance scan might show a warning for a CPU that is supported
Due to an internal error, even if a CPU model is listed as supported in the VMware Compatibility Guide, in the vSphere Client you might see a warning such as The CPU on the host is not supported by the image during a compliance scan by using a vSphere Lifecycle Manager image. The warning does not prevent you from completing an update or upgrade.

This issue is resolved in this release.
PR 3116848: Virtual machines with Virtualization-Based Security (VBS) enabled might fail with a blue diagnostic screen after a migration
When you migrate virtual machines with VBS enabled that reside on ESXi hosts running on AMD processors, such VMs might fail with a blue diagnostic screen on the target host due to a guest interruptibility state error.

This issue is resolved in this release.
PR 3010502: If you override a networking policy for a port group and then revert the change, the override persists after an ESXi host reboot
When you override a networking policy such as Teaming, Security, or Shaping for a port group, and then revert the change, after a reboot of the ESXi host, you might still see the override setting. For example, if you accept promiscuous mode activation on a port group level, then revert the mode back to Reject, and reboot the ESXi host, the setting is still Accept.

This issue is resolved in this release.
PR 3118090: The autocomplete attribute in forms for web access is not disabled on password and username fields
Your remote web server might contain an HTML form field that has an input of type password and username where the autocomplete attribute is not set to off. As a result, you might see a warning by security scanners such as AutoComplete Attribute Not Disabled for Password in Form Based Authentication. The setting of the autocomplete attribute to on does not directly put a risk on web servers, but in certain browsers, user credentials in such forms might be saved and potentially lead to a loss of confidentiality.

This issue is resolved in this release. The fix makes sure the attribute autocomplete is set to off in password and username fields to prevent browsers from caching credentials.
PR 3078875: Cannot set IOPS limit for vSAN file service objects
vSAN Distributed File System (vDFS) objects do not support IOPS limit. You cannot set the IOPS limit for vSAN file service objects.

This issue is resolved in this release. With the fix, you can set an IOPSLimit policy with vSAN file service objects.
PR 3069298: In vSphere Client, you do not see the asset tag for some servers
In vSphere Client, when you navigate to Configure > Hardware > Overview, for some servers you do not see any asset tag listed.

This issue is resolved in this release. The fix ensures that vCenter receives either baseboard info (Type2) asset tag or chassis info(Type3) asset tag for the server. You see the chassis info asset tag when the baseboard info asset tag for the server is empty.
PR 3074121: Network configuration lost after vSAN upgrade to 7.0 or later
When you upgrade a vSAN host from a pre-6.2 release to 7.0 or later, the VMkernel port tagging for vSAN might be lost. If this occurs, vSAN networking configuration is missing after the upgrade.

This issue is resolved in this release. The fix prevents the issue to occur on ESXi 7.0 Update 3l and later. If you already face the issue, upgrading to ESXi 7.0 Update 3l does not automatically resolve the issue, but you can manually fix it by enabling VMkernel traffic for vSAN on the ESXi host.
PR 3085003: Cannot enable vSAN File Service with uploaded OVF files
You cannot enable vSAN File Service if the vCenter does not have Internet access.

This issue is resolved in this release.
PR 3088608: Virtual machines might fail with a core dump while resuming from a checkpoint or after migration
In rare cases, when a data breakpoint is enabled in the guest OS of virtual machines, during checkpoint resume or after a vSphere vMotion migration, an internal virtualization data structure might be accessed before it is allocated. As a result, the virtual machines crash with core dump and an error such as:

vcpu-1:VMM fault 14: src=MONITOR rip=0xfffffffffc0XXe00 regs=0xfffffffffcXXXdc0 LBR stack=0xfffffffffcXXXaXX.

This issue is resolved in this release.

esx-update_7.0.3-0.85.21424296

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_esx-update_7.0.3-0.85.21424296 VMware_bootbank_loadesx_7.0.3-0.85.21424296
PRs Fixed	N/A
CVE numbers	N/A

Updates the loadesx and esx-update VIBs.

Broadcom-ntg3_4.1.9.0-4vmw.703.0.85.21424296

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMW_bootbank_ntg3_4.1.9.0-4vmw.703.0.85.21424296
PRs Fixed	3083426
CVE numbers	N/A

Update the ntg3 VIB to resolve the following issue:

PR 3083426: You might see jumbo frames packet loss when NICs using the ntg3 driver are connected to certain Dell switches
When NICs using the ntg3 driver such as Broadcom BCM5719 and BCM5720 are connected to certain models of Dell switches, including but not limited to S4128T-ON and S3048-ON, such NICs might incorrectly drop some of the received packets greater than 6700 bytes. This might cause very low network performance or loss of connectivity.

This issue is resolved in this release. The ntg3 driver version 4.1.9.0, which is released with ESXi 7.0 Update 3l, contains the fix.

VMware-vmkusb_0.1-8vmw.703.0.85.21424296

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMW_bootbank_vmkusb_0.1-8vmw.703.0.85.21424296
PRs Fixed	N/A
CVE numbers	N/A

Updates the vmkusb VIB.

VMware-NVMe-PCIe_1.2.3.16-2vmw.703.0.85.21424296

Patch Category	Bugfix
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMW_bootbank_nvme-pcie_1.2.3.16-2vmw.703.0.85.21424296
PRs Fixed	3086841, 3104368, 3061328
CVE numbers	N/A

Update the nvme-pcie VIB to resolve the following issues:

PR 3086841: Third-party multipathing plug-ins report "Invalid length RTPG Discriptor" warning while running on the SCSI to NVMe translation stack
In case of an extended header format in the NVMe to SCSI translation layer, third-party multipathing plug-ins such as PowerPath might not account for the extended header size of 4 bytes. As a result, in the vmkernel.log, you see an Invalid length RTPG Descriptor warning.

This issue is resolved in this release. The fix accounts for 4 bytes of extended headers.
PR 3104368: You cannot install ESXi or create datastores on an NVMe device
When installing ESXi or creating a VMFS datastore on an NVMe device, the native NVMe driver might need to handle a Compare and Write fused operation. According to NVMe specs, the Compare and Write commands must be inserted next to each other in the same Submission Queue, and the Submission Queue Tail doorbell pointer update must indicate both commands as part of one doorbell update. The native NVMe driver puts the two commands together in one Submission Queue, but writes the doorbell for each command separately. As a result, the device firmware might complete the fused commands with an error and fail to create a VMFS datastore. Since creating a VMFS datastore on a device is a prerequisite for successful ESXi installation, you might not be able to install ESXi on such NVMe devices.

This issue is resolved in this release.
PR 3061328: Cannot clear vSAN health check: NVMe device can be identified
If the vSAN health check indicates that an NVMe device cannot be identified, the warning might not be cleared after you correctly select the device model.

This issue is resolved in this release.

ESXi_7.0.3-0.80.21422485

Patch Category	Security
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_esx-dvfilter-generic-fastpath_7.0.3-0.80.21422485 VMware_bootbank_vdfs_7.0.3-0.80.21422485 VMware_bootbank_cpu-microcode_7.0.3-0.80.21422485 VMware_bootbank_crx_7.0.3-0.80.21422485 VMware_bootbank_esx-xserver_7.0.3-0.80.21422485 VMware_bootbank_vsanhealth_7.0.3-0.80.21422485 VMware_bootbank_vsan_7.0.3-0.80.21422485 VMware_bootbank_esx-ui_2.9.2-21141530 VMware_bootbank_esxio-combiner_7.0.3-0.80.21422485 VMware_bootbank_native-misc-drivers_7.0.3-0.80.21422485 VMware_bootbank_esx-base_7.0.3-0.80.21422485 VMware_bootbank_gc_7.0.3-0.80.21422485 VMware_bootbank_bmcal_7.0.3-0.80.21422485 VMware_bootbank_trx_7.0.3-0.80.21422485
PRs Fixed	N/A
CVE numbers	CVE-2023-1017, CVE-2023-1018

ESXi 7.0 Update 3l provides the following security updates:
- The Python package is updated to versions 3.8.16/3.5.10.
- The ESXi userworld libxml2 library is updated to version 2.10.3.
- The cURL library is updated to version 7.86.0.
- The Expat XML parser is updated to version 2.5.0.
- The SQLite database is updated to version 3.40.1.
- The zlib library is updated to 1.2.13.

esx-update_7.0.3-0.80.21422485

Patch Category	Security
Patch Severity	Critical
Host Reboot Required	Yes
Virtual Machine Migration or Shutdown Required	Yes
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_loadesx_7.0.3-0.80.21422485 VMware_bootbank_esx-update_7.0.3-0.80.21422485
PRs Fixed	N/A
CVE numbers	N/A

Updates the loadesx and esx-update VIBs.

VMware-VM-Tools_12.1.5.20735119-21422485

Patch Category	Security
Patch Severity	Critical
Host Reboot Required	No
Virtual Machine Migration or Shutdown Required	No
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_locker_tools-light_12.1.5.20735119-21422485
PRs Fixed	3091480
CVE numbers	N/A

Updates the loadesx and esx-update VIBs.

- The following VMware Tools ISO images are bundled with ESXi 7.0 Update 3l:
  - windows.iso: VMware Tools 12.1.5 supports Windows 7 SP1 or Windows Server 2008 R2 SP1 and later.
  - linux.iso: VMware Tools 10.3.25 ISO image for Linux OS with glibc 2.11 or later.
  The following VMware Tools ISO images are available for download:
  - VMware Tools 11.0.6:
    - windows.iso: for Windows Vista (SP2) and Windows Server 2008 Service Pack 2 (SP2).
  - VMware Tools 10.0.12:
    - winPreVista.iso: for Windows 2000, Windows XP, and Windows 2003.
    - linuxPreGLibc25.iso: supports Linux guest operating systems earlier than Red Hat Enterprise Linux (RHEL) 5, SUSE Linux Enterprise Server (SLES) 11, Ubuntu 7.04, and other distributions with glibc version earlier than 2.5.
  - solaris.iso: VMware Tools image 10.3.10 for Solaris.
  - darwin.iso: Supports Mac OS X versions 10.11 and later. VMware Tools 12.1.0 was the last regular release for macOS. Refer VMware knowledge base article 88698 for details.
  Follow the procedures listed in the following documents to download VMware Tools for platforms not bundled with ESXi:

ESXi-7.0U3l-21424296-standard

Profile Name	ESXi-7.0U3l-21424296-standard
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	March 30, 2023
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_esx-dvfilter-generic-fastpath_7.0.3-0.85.21424296 VMware_bootbank_vsan_7.0.3-0.85.21424296 VMware_bootbank_bmcal_7.0.3-0.85.21424296 VMware_bootbank_crx_7.0.3-0.85.21424296 VMware_bootbank_esx-ui_2.9.2-21141530 VMware_bootbank_esxio-combiner_7.0.3-0.85.21424296 VMware_bootbank_vsanhealth_7.0.3-0.85.21424296 VMware_bootbank_native-misc-drivers_7.0.3-0.85.21424296 VMware_bootbank_gc_7.0.3-0.85.21424296 VMware_bootbank_cpu-microcode_7.0.3-0.85.21424296 VMware_bootbank_vdfs_7.0.3-0.85.21424296 VMware_bootbank_esx-xserver_7.0.3-0.85.21424296 VMware_bootbank_esx-base_7.0.3-0.85.21424296 VMware_bootbank_trx_7.0.3-0.85.21424296 VMware_bootbank_esx-update_7.0.3-0.85.21424296 VMware_bootbank_loadesx_7.0.3-0.85.21424296 VMW_bootbank_ntg3_4.1.9.0-4vmw.703.0.85.21424296 VMW_bootbank_vmkusb_0.1-8vmw.703.0.85.21424296 VMW_bootbank_nvme-pcie_1.2.3.16-2vmw.703.0.85.21424296 VMware_locker_tools-light_12.1.5.20735119-21422485
PRs Fixed	3057026, 3062185, 3040049, 3061156, 3023389, 3062861, 3089449, 3081870, 3082900, 3033157, 3090683, 3075786, 3074392, 3081275, 3080022, 3083314, 3084812, 3074360, 3092270, 3076977, 3051685, 3082477, 3082282, 3082427, 3077163, 3087219, 3074187, 3082431, 3050562, 3072430, 3077072, 3077060, 3046875, 3082991, 3083473, 3051059, 3091256, 3074912, 3058993, 3063987, 3072500, 3060661, 3076188, 3049652, 2902475, 3087946, 3116848, 3010502, 3118090, 3078875, 3069298, 3074121, 3083426, 3086841, 3104368, 3061328
Related CVE numbers	CVE-2023-1017, CVE-2023-1018

This patch updates the following issues:
- In the vSphere Client and the ESXi Host Client, you might see incorrect number of sockets and respectively cores per socket when you change the NPS setting on an AMD EPYC 9004 server from the default of 1, or Auto, to another value, such as 2 or 4.
- Due to a rare race condition during a Fast Suspend Resume (FSR) operation on a VM with shared pages between VMs, ESXi hosts might fail with a purple diagnostic screen with an error such as PFrame_IsBackedByLPage in the backtrace. The issue occurs during vSphere Storage vMotion operations or hot-adding a device.
- Packet capture with the -c option of the pktcap-uw utlity in heavy network traffic might be slower than packet capture without the option. You might also see a delay in capturing packets, so that the last package counted has a timestap few seconds earlier than the stop time of the function. The issue results from the File_GetSize function to check file sizes, which is slow in VMFS environments and causes low performance of pktcap-uw.
- In the syslog file you might see frequent log messages such as:
  2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] *** Received pre-CEE DCBX Packet on port: vmnicX
  2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info]2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] Src MAC: xc:xc:X0:0X:xc:xx
  2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] Dest MAC: X0:xb:xb:fx:0X:X1
  2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] 2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] Port ID TLV:
  2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] ifName:
  
  The issue occurs because the Data Center Bridging (DCB) daemon, dcbd, on the ESXi host records unnecessary messages at /var/log/syslog.log. As a result, the log file might quickly fill up with dcbd logs.
- In some cases, a timed-wait system call in the VMkernel might return too early. As a result, some applications, such as the System Health Agent, might take up to 100% of the CPU usage on one of the ESXi host cores.
- Due to an issue with the IPv6 loopback interfaces, you might not see virtual machine image details in the Summary tab of the vSphere Client.
- If the number of paths from an ESXi host using NMP SATP ALUA to storage exceed 255, ESXi ignores part of the ALUA information reported by the target and incorrectly retains some of the path state as active optimised. As a result, some I/Os use the non-optimised path to the storage device and cause latency issues..
- In some cases, during an ESXi host shutdown, helper queues of device probe requests get deleted, but the reference to the device remains. As a result, the ESXi host reboot stops with a message such as initializing init_VMKernelShutdownHelper: (14/39) ShutdownSCSICleanupForDevTearDown in the Direct Console User Interface (DCUI).
- Due to a race condition during an Instant Clone operation, VM memory pages might be corrupted and the ESXi host might fail with a purple diagnostic screen. You see errors such as VmMemMigrate_MarkPagesCow or AsyncRemapProcessVMRemapList in the backtrace.
- In some environments with SATP plug-ins such as satp_alua and satp_alua_cx, bringing all paths to a LUN online might require several scans. As a result, a storage failover operation might take long. For example, with 4 paths to a LUN, it might take up to 20 minutes to bring the 4 paths online.
- After vSphere vMotion operations across vCenter Server instances for VMs that have vSphere tags, it is possible that the tags do not exist in the target location. The issue only occurs in migration operations between vCenter Server instances that do not share storage.
- When you set the multicast filter mode of an NSX Virtual Switch for NVDS, the mode might intermittently revert from legacy to snooping.
- When you run a Nessus scan, which internally runs a SYN scan, to detect active ports on an ESXi host, the iofiltervpd service might shut down. The service cannot be restarted within the max retry attempts due to the SYN scan.
- If a VIB containing a new kernel module is installed before you run any of the restore config procedures described in VMware knowledge base article 2042141, you see no change in the config after the ESXi host reboots. For example, if you attempt to restore the ESXi config immediately after installing the NSX VIB, the ESXi host reboots, but no changes in the config are visible. The issue occurs due to a logical fault in the updates of the bootbank partition used for ESXi host reboots after a new kernel module VIB is installed.
- Listing files of mounted NFS 4.1 Azure storage might not work as expected, because although the files exist and you can open them by name, the ls command on an ESXi host by using SSH does not show any files.
- Starting with ESXi 7.0 Update 1, the vpxa.cfg file no longer exists and the vpxa configuration belongs to the ESXi Configuration Store (ConfigStore). When you upgrade an ESXi host from a version earlier than 7.0 Update 1 to a later version, the fields Vpx.Vpxa.config.nfc.loglevel and Vpx.Vpxa.config.httpNfc.accessMode in the vpxa.cfg file might cause the ESXi host to fail with a purple diagnostic screen during the conversion from vpxa.cfg format to ConfigStore format. The issue occurs due to discrepancies in the NFC log level between vpxa.cfg and ConfigStore, and case-sensitive values.
- In rare cases, multiple concurrent open and close operations on datastores, for example when vSphere DRS triggers multiple migration tasks, might cause some VMs to take longer to complete in-flight disk I/Os. As a result, such virtual machines might take longer to respond or become unresponsive for a short time. The issue is more likely to occur on VMs that have multiple virtual disks over different datastores.
- During an API call to reload a virtual machine from one ESXi host to another, the externalId in the VM port data file might be lost. As a result, after the VM reloads, the VM virtual NIC might not be able to connect to a LSP.
- After upgrading to ESXi 7.0 Update 3i, you might not be able to attach an existing virtual machine disk (VMDK) to a VM by using the VMware Host Client, which is used to connect to and manage single ESXi hosts. The issue does not affect the vSphere Client.
- Due to a race condition between the Create and Delete resource pool workflows, a freed pointer in the VMFS resource pool cache might get dereferenced. As a result, ESXi hosts might fail with a purple diagnostic screen and error such as:
  @BlueScreen: #PF Exception 14 in world 2105491:res3HelperQu IP 0x420032a21f55 addr 0x0
- With the batch QueryUnresolvedVmfsVolume API, you can query and list unresolved VMFS volumes or LUN snapshots. You can then use other batch APIs to perform operations, such as re-signaturing specific unresolved VMFS volumes. By default, when the API QueryUnresolvedVmfsVolume is invoked on a host, the system performs an additional filesystem liveness check for all unresolved volumes that are found. The liveness check detects whether the specified LUN is mounted on other hosts, whether an active VMFS heartbeat is in progress, or if there is any filesystem activity. This operation is time consuming and requires at least 16 seconds per LUN. As a result, when your environment has a large number of snapshot LUNs, the query and listing operation might take significant time.
- This problem can occur when vCenter manages multiple clusters, and the vCenter VM runs on one of the clusters. If you shut down the cluster where the vCenter VM resides, the following error can occur during the shutdown operation: 'NoneType' object has no attribute '_moId'. The vCenter VM is not powered off.
- This problem can occur when vCenter manages multiple clusters and runs several shut down and restart cluster operations in parallel. For example, if you shut down 3 clusters and restart the vSAN health service or the vCenter VM, and you restart one of the 3 clusters before the others, the Restart Cluster option might be available for the first vSAN cluster, but not for the other clusters.
- Unexpected time drift can occur intermittently on a vSAN cluster when a single vCenter Server manages several vSAN clusters, due to internal delays in VPXA requests. In the vSphere Client, in the vSAN Health tab, you see the status of Time is synchronized across hosts and VC changing from green to yellow and back to green.
- When you enable the ToolsRamdisk advanced option that makes sure the /vmtools partition is always on a RAM disk rather than on a USB or SD-card, installing or updating the tools-light VIB does not update the content of the RAM disk automatically. Instead, you must reboot the host so that the RAM disk updates and the new VM Tools version is available for the VMs.
- A rare race condition caused by memory reclamation for some performance optimization processes in vSphere vMotion might cause ESXi hosts to fail with a purple diagnostic screen.
- If your environment has both small and large file block clusters mapped to one affinity rule, when you add a cluster, the Affinity Manager might allocate more blocks for files than the actual volume of the datastore. As a result, ESXi hosts randomly fail with a purple diagnostic screen with error Exception 14 in world #######.
- This issue occurs when you view health details of any health check in the history view. In the vSphere Client, in the Skyline Health tab, you see a message such as No data available for the selected time period. The issue occurs when a query to the historical health records fails due to timestamps with an incorrect time zone.
- The logger command of some logger clients might not pass the right facility code to the ESXi syslog daemon and cause incorrect facility or severity values in ESXi syslog log messages.
- In rare cases, in a heavy workload, two LVM tasks that perform updating and querying on the device schedule in an ESXi host might run in parallel and cause a synchronization issue. As a result, the ESXi host might fail with a purple diagnostic screen and a messages similar to [email protected]#nover+0x1018 stack: 0xXXXXX and Addr3ResolvePhysVector@esx#nover+0x68 stack: 0xXXXX in the backtrace.
- In some cases, while an ESXi host boots, some dynamically discovered iSCSI targets might get deleted. As a result, after the boot completes, you might no longer see some iSCSI LUNs. The issue is more likely to occur in environments with Challenge-Handshake Authentication Protocol
  (CHAP) enabled for iSCSI.
- In busy environments with many rescans by using a software iSCSI adapter, the VMware Host Client might intermittently stop displaying the adapter. The issue occurs only with target arrays which return target portals with both IPv4 and IPv6 addresses during discovery by using the SendTargets method.
- A rare issue with calculating the Max Queue Depth per datastore device might cause queue depth mismatch warnings from the underlying SCSI layer. As a result, when you disable Storage I/O Control on datastores, you might see high read I/O on all ESXi hosts.
- Due to missing configuration for stats-log in the file /etc/vmware/vvold/config.xml, you might see multiple -1.log files to fill up the /ramdisk partition after an upgrade to ESXi 7.0 Update 3 and later.
- If a username or password in a network proxy contains any escape character, the environment fails to send network requests through the proxy.
- If you configure an NTP server on an ESXi host with additional parameters along with hostname, such as min_poll or max_poll, the command esxcli system ntp test might fail to resolve the IP address of that server. This issue occurs because in such configurations, the NTP name resolution applies to the entire server config instead of just the host name.
- After upgrading to ESXi 7.0 Update 2 and later, a virtual machine might not discover some USB devices attached to it, such as an Eaton USB UPS, and fail to communicate with the device properly.
- If you clone a VM, including the guest customization specs, move the VMDK file to another datastore and make it thick provisioned, and then power on the VM, the guest OS customization might not be preserved. In the hostd logs, you see an Event Type Description such as The customization component failed to set the required parameters inside the guest operating system.
  The issue occurs because while moving the VMDK file of the cloned VM to another datastore, the new pathName for the guest OS customization might temporarily be the same as the oldPathName and the package gets deleted.
- Improper sizing of the resource needs for the hostd service on an ESXi host might cause some virtual machine-related tasks to fail when you use vSphere APIs for I/O Filtering (VAIO) for VMware or third-party backup applications. For example, when a VAIO filter is attached to one or more virtual disks of a virtual machine, such VMs might fail to perform backups or power-on after a backup.
- A rare file corruption issue might occur when multiple ESXi hosts do a simultaneous file append operation on an NFSv3 datastore. As a result, if you use the Govc open source command-line utility to perform administrative actions on a vCenter instance, you might see reports with inconsistent values. For example, if you run the command govc disk.ls to list all FCDs in a newly created datastore, you see a different number of disks from what you expect.
- In rare cases, when a VMFS volume is closed immediately after it is opened, one of the threads in the opening process might race with a thread in the closing process and take a rare error handling path that can exit without unlocking a locked spinlock. As a result, the ESXi host might fail with a purple diagnostic screen with a message in the backtrace such as: @BlueScreen: VERIFY bora/vmkernel/sched/cpusched.c:11154.
- Due to reservation conflicts, WSFC applications might lose connectivity to a virtual volume-based disk after a rebind operation on that disk.
- In rare situations, the management agent that vSphere HA deploys on ESXi hosts, Fault Domain Manager (FDM), might fail to acquire a vSAN datastore in the first attempt before an exceptional condition, such as power outage, occurs. As a result, vSphere HA failover for virtual machines on that datastore might not be successful. In the vSphere Client, you see a message such as This virtual machine failed to become vSphere HA Protected and HA may not attempt to restart it after a failure. Successive attempts of FDM to acquire the vSAN datastore might also fail.
- In the sustainability metrics in VMware vRealize Operations, you might see the value of Power|Total Energy (Wh) per virtual machine higher than the ESXi host on which the VM is hosted. The issue occurs because after measuring the total energy consumed by the VM, the power.energy performance counter is calculated and reported in millijoules instead of joules.
- In ESXi hosts running on AMD processors, Windows virtual machines of hardware version 19 with VBS enabled might fail with a blue diagnostic screen due to a processor mode misconfiguration error. In the vmware.log file, you see errors such as vcpu-0 - WinBSOD: Synthetic MSR[0xx0000x00] 0xxxx.
- Due to an internal error, even if a CPU model is listed as supported in the VMware Compatibility Guide, in the vSphere Client you might see a warning such as The CPU on the host is not supported by the image during a compliance scan by using a vSphere Lifecycle Manager image. The warning does not prevent you from completing an update or upgrade.
- When you migrate virtual machines with VBS enabled that reside on ESXi hosts running on AMD processors, such VMs might fail with a blue diagnostic screen on the target host due to a guest interruptibility state error.
- When you override a networking policy such as Teaming, Security, or Shaping for a port group, and then revert the change, after a reboot of the ESXi host, you might still see the override setting. For example, if you accept promiscuous mode activation on a port group level, then revert the mode back to Reject, and reboot the ESXi host, the setting is still Accept.
- Your remote web server might contain an HTML form field that has an input of type password and username where the autocomplete attribute is not set to off. As a result, you might see a warning by security scanners such as AutoComplete Attribute Not Disabled for Password in Form Based Authentication. The setting of the autocomplete attribute to on does not directly put a risk on web servers, but in certain browsers, user credentials in such forms might be saved and potentially lead to a loss of confidentiality.
- vSAN Distributed File System (vDFS) objects do not support IOPS limit. You cannot set the IOPS limit for vSAN file service objects.
- In vSphere Client, when you navigate to Configure > Hardware > Overview, for some servers you do not see any asset tag listed.
- When you upgrade a vSAN host from a pre-6.2 release to 7.0 or later, the VMkernel port tagging for vSAN might be lost. If this occurs, vSAN networking configuration is missing after the upgrade.
- You cannot enable vSAN File Service if the vCenter does not have Internet access.
- In rare cases, when a data breakpoint is enabled in the guest OS of virtual machines, during checkpoint resume or after a vSphere vMotion migration, an internal virtualization data structure might be accessed before it is allocated. As a result, the virtual machines crash with core dump and an error such as:
  
  vcpu-1:VMM fault 14: src=MONITOR rip=0xfffffffffc0XXe00 regs=0xfffffffffcXXXdc0 LBR stack=0xfffffffffcXXXaXX.
- When NICs using the ntg3 driver such as Broadcom BCM5719 and BCM5720 are connected to certain models of Dell switches, including but not limited to S4128T-ON and S3048-ON, such NICs might incorrectly drop some of the received packets greater than 6700 bytes. This might cause very low network performance or loss of connectivity.
- In case of an extended header format in the NVMe to SCSI translation layer, third-party multipathing plug-ins such as PowerPath might not account for the extended header size of 4 bytes. As a result, in the vmkernel.log, you see an Invalid length RTPG Descriptor warning.
- When installing ESXi or creating a VMFS datastore on an NVMe device, the native NVMe driver might need to handle a Compare and Write fused operation. According to NVMe specs, the Compare and Write commands must be inserted next to each other in the same Submission Queue, and the Submission Queue Tail doorbell pointer update must indicate both commands as part of one doorbell update. The native NVMe driver puts the two commands together in one Submission Queue, but writes the doorbell for each command separately. As a result, the device firmware might complete the fused commands with an error and fail to create a VMFS datastore. Since creating a VMFS datastore on a device is a prerequisite for successful ESXi installation, you might not be able to install ESXi on such NVMe devices.
- If the vSAN health check indicates that an NVMe device cannot be identified, the warning might not be cleared after you correctly select the device model.

ESXi-7.0U3l-21424296-no-tools

Profile Name	ESXi-7.0U3l-21424296-no-tools
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	March 30, 2023
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_esx-dvfilter-generic-fastpath_7.0.3-0.85.21424296 VMware_bootbank_vsan_7.0.3-0.85.21424296 VMware_bootbank_bmcal_7.0.3-0.85.21424296 VMware_bootbank_crx_7.0.3-0.85.21424296 VMware_bootbank_esx-ui_2.9.2-21141530 VMware_bootbank_esxio-combiner_7.0.3-0.85.21424296 VMware_bootbank_vsanhealth_7.0.3-0.85.21424296 VMware_bootbank_native-misc-drivers_7.0.3-0.85.21424296 VMware_bootbank_gc_7.0.3-0.85.21424296 VMware_bootbank_cpu-microcode_7.0.3-0.85.21424296 VMware_bootbank_vdfs_7.0.3-0.85.21424296 VMware_bootbank_esx-xserver_7.0.3-0.85.21424296 VMware_bootbank_esx-base_7.0.3-0.85.21424296 VMware_bootbank_trx_7.0.3-0.85.21424296 VMware_bootbank_esx-update_7.0.3-0.85.21424296 VMware_bootbank_loadesx_7.0.3-0.85.21424296 VMW_bootbank_ntg3_4.1.9.0-4vmw.703.0.85.21424296 VMW_bootbank_vmkusb_0.1-8vmw.703.0.85.21424296 VMW_bootbank_nvme-pcie_1.2.3.16-2vmw.703.0.85.21424296
PRs Fixed	3057026, 3062185, 3040049, 3061156, 3023389, 3062861, 3089449, 3081870, 3082900, 3033157, 3090683, 3075786, 3074392, 3081275, 3080022, 3083314, 3084812, 3074360, 3092270, 3076977, 3051685, 3082477, 3082282, 3082427, 3077163, 3087219, 3074187, 3082431, 3050562, 3072430, 3077072, 3077060, 3046875, 3082991, 3083473, 3051059, 3091256, 3074912, 3058993, 3063987, 3072500, 3060661, 3076188, 3049652, 2902475, 3087946, 3116848, 3010502, 3118090, 3078875, 3069298, 3074121, 3083426, 3086841, 3104368, 3061328
Related CVE numbers	CVE-2023-1017, CVE-2023-1018

This patch updates the following issues:
- In the vSphere Client and the ESXi Host Client, you might see incorrect number of sockets and respectively cores per socket when you change the NPS setting on an AMD EPYC 9004 server from the default of 1, or Auto, to another value, such as 2 or 4.
- Due to a rare race condition during a Fast Suspend Resume (FSR) operation on a VM with shared pages between VMs, ESXi hosts might fail with a purple diagnostic screen with an error such as PFrame_IsBackedByLPage in the backtrace. The issue occurs during vSphere Storage vMotion operations or hot-adding a device.
- Packet capture with the -c option of the pktcap-uw utlity in heavy network traffic might be slower than packet capture without the option. You might also see a delay in capturing packets, so that the last package counted has a timestap few seconds earlier than the stop time of the function. The issue results from the File_GetSize function to check file sizes, which is slow in VMFS environments and causes low performance of pktcap-uw.
- In the syslog file you might see frequent log messages such as:
  2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] *** Received pre-CEE DCBX Packet on port: vmnicX
  2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info]2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] Src MAC: xc:xc:X0:0X:xc:xx
  2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] Dest MAC: X0:xb:xb:fx:0X:X1
  2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] 2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] Port ID TLV:
  2022-03-27T00:xx:xx.xxxx dcbd[xxxx]: [info] ifName:
  
  The issue occurs because the Data Center Bridging (DCB) daemon, dcbd, on the ESXi host records unnecessary messages at /var/log/syslog.log. As a result, the log file might quickly fill up with dcbd logs.
- In some cases, a timed-wait system call in the VMkernel might return too early. As a result, some applications, such as the System Health Agent, might take up to 100% of the CPU usage on one of the ESXi host cores.
- Due to an issue with the IPv6 loopback interfaces, you might not see virtual machine image details in the Summary tab of the vSphere Client.
- If the number of paths from an ESXi host using NMP SATP ALUA to storage exceed 255, ESXi ignores part of the ALUA information reported by the target and incorrectly retains some of the path state as active optimised. As a result, some I/Os use the non-optimised path to the storage device and cause latency issues..
- In some cases, during an ESXi host shutdown, helper queues of device probe requests get deleted, but the reference to the device remains. As a result, the ESXi host reboot stops with a message such as initializing init_VMKernelShutdownHelper: (14/39) ShutdownSCSICleanupForDevTearDown in the Direct Console User Interface (DCUI).
- Due to a race condition during an Instant Clone operation, VM memory pages might be corrupted and the ESXi host might fail with a purple diagnostic screen. You see errors such as VmMemMigrate_MarkPagesCow or AsyncRemapProcessVMRemapList in the backtrace.
- In some environments with SATP plug-ins such as satp_alua and satp_alua_cx, bringing all paths to a LUN online might require several scans. As a result, a storage failover operation might take long. For example, with 4 paths to a LUN, it might take up to 20 minutes to bring the 4 paths online.
- After vSphere vMotion operations across vCenter Server instances for VMs that have vSphere tags, it is possible that the tags do not exist in the target location. The issue only occurs in migration operations between vCenter Server instances that do not share storage.
- When you set the multicast filter mode of an NSX Virtual Switch for NVDS, the mode might intermittently revert from legacy to snooping.
- When you run a Nessus scan, which internally runs a SYN scan, to detect active ports on an ESXi host, the iofiltervpd service might shut down. The service cannot be restarted within the max retry attempts due to the SYN scan.
- If a VIB containing a new kernel module is installed before you run any of the restore config procedures described in VMware knowledge base article 2042141, you see no change in the config after the ESXi host reboots. For example, if you attempt to restore the ESXi config immediately after installing the NSX VIB, the ESXi host reboots, but no changes in the config are visible. The issue occurs due to a logical fault in the updates of the bootbank partition used for ESXi host reboots after a new kernel module VIB is installed.
- Listing files of mounted NFS 4.1 Azure storage might not work as expected, because although the files exist and you can open them by name, the ls command on an ESXi host by using SSH does not show any files.
- Starting with ESXi 7.0 Update 1, the vpxa.cfg file no longer exists and the vpxa configuration belongs to the ESXi Configuration Store (ConfigStore). When you upgrade an ESXi host from a version earlier than 7.0 Update 1 to a later version, the fields Vpx.Vpxa.config.nfc.loglevel and Vpx.Vpxa.config.httpNfc.accessMode in the vpxa.cfg file might cause the ESXi host to fail with a purple diagnostic screen during the conversion from vpxa.cfg format to ConfigStore format. The issue occurs due to discrepancies in the NFC log level between vpxa.cfg and ConfigStore, and case-sensitive values.
- In rare cases, multiple concurrent open and close operations on datastores, for example when vSphere DRS triggers multiple migration tasks, might cause some VMs to take longer to complete in-flight disk I/Os. As a result, such virtual machines might take longer to respond or become unresponsive for a short time. The issue is more likely to occur on VMs that have multiple virtual disks over different datastores.
- During an API call to reload a virtual machine from one ESXi host to another, the externalId in the VM port data file might be lost. As a result, after the VM reloads, the VM virtual NIC might not be able to connect to a LSP.
- After upgrading to ESXi 7.0 Update 3i, you might not be able to attach an existing virtual machine disk (VMDK) to a VM by using the VMware Host Client, which is used to connect to and manage single ESXi hosts. The issue does not affect the vSphere Client.
- Due to a race condition between the Create and Delete resource pool workflows, a freed pointer in the VMFS resource pool cache might get dereferenced. As a result, ESXi hosts might fail with a purple diagnostic screen and error such as:
  @BlueScreen: #PF Exception 14 in world 2105491:res3HelperQu IP 0x420032a21f55 addr 0x0
- With the batch QueryUnresolvedVmfsVolume API, you can query and list unresolved VMFS volumes or LUN snapshots. You can then use other batch APIs to perform operations, such as re-signaturing specific unresolved VMFS volumes. By default, when the API QueryUnresolvedVmfsVolume is invoked on a host, the system performs an additional filesystem liveness check for all unresolved volumes that are found. The liveness check detects whether the specified LUN is mounted on other hosts, whether an active VMFS heartbeat is in progress, or if there is any filesystem activity. This operation is time consuming and requires at least 16 seconds per LUN. As a result, when your environment has a large number of snapshot LUNs, the query and listing operation might take significant time.
- This problem can occur when vCenter manages multiple clusters, and the vCenter VM runs on one of the clusters. If you shut down the cluster where the vCenter VM resides, the following error can occur during the shutdown operation: 'NoneType' object has no attribute '_moId'. The vCenter VM is not powered off.
- This problem can occur when vCenter manages multiple clusters and runs several shut down and restart cluster operations in parallel. For example, if you shut down 3 clusters and restart the vSAN health service or the vCenter VM, and you restart one of the 3 clusters before the others, the Restart Cluster option might be available for the first vSAN cluster, but not for the other clusters.
- Unexpected time drift can occur intermittently on a vSAN cluster when a single vCenter Server manages several vSAN clusters, due to internal delays in VPXA requests. In the vSphere Client, in the vSAN Health tab, you see the status of Time is synchronized across hosts and VC changing from green to yellow and back to green.
- When you enable the ToolsRamdisk advanced option that makes sure the /vmtools partition is always on a RAM disk rather than on a USB or SD-card, installing or updating the tools-light VIB does not update the content of the RAM disk automatically. Instead, you must reboot the host so that the RAM disk updates and the new VM Tools version is available for the VMs.
- A rare race condition caused by memory reclamation for some performance optimization processes in vSphere vMotion might cause ESXi hosts to fail with a purple diagnostic screen.
- If your environment has both small and large file block clusters mapped to one affinity rule, when you add a cluster, the Affinity Manager might allocate more blocks for files than the actual volume of the datastore. As a result, ESXi hosts randomly fail with a purple diagnostic screen with error Exception 14 in world #######.
- This issue occurs when you view health details of any health check in the history view. In the vSphere Client, in the Skyline Health tab, you see a message such as No data available for the selected time period. The issue occurs when a query to the historical health records fails due to timestamps with an incorrect time zone.
- The logger command of some logger clients might not pass the right facility code to the ESXi syslog daemon and cause incorrect facility or severity values in ESXi syslog log messages.
- In rare cases, in a heavy workload, two LVM tasks that perform updating and querying on the device schedule in an ESXi host might run in parallel and cause a synchronization issue. As a result, the ESXi host might fail with a purple diagnostic screen and a messages similar to [email protected]#nover+0x1018 stack: 0xXXXXX and Addr3ResolvePhysVector@esx#nover+0x68 stack: 0xXXXX in the backtrace.
- In some cases, while an ESXi host boots, some dynamically discovered iSCSI targets might get deleted. As a result, after the boot completes, you might no longer see some iSCSI LUNs. The issue is more likely to occur in environments with Challenge-Handshake Authentication Protocol
  (CHAP) enabled for iSCSI.
- In busy environments with many rescans by using a software iSCSI adapter, the VMware Host Client might intermittently stop displaying the adapter. The issue occurs only with target arrays which return target portals with both IPv4 and IPv6 addresses during discovery by using the SendTargets method.
- A rare issue with calculating the Max Queue Depth per datastore device might cause queue depth mismatch warnings from the underlying SCSI layer. As a result, when you disable Storage I/O Control on datastores, you might see high read I/O on all ESXi hosts.
- Due to missing configuration for stats-log in the file /etc/vmware/vvold/config.xml, you might see multiple -1.log files to fill up the /ramdisk partition after an upgrade to ESXi 7.0 Update 3 and later.
- If a username or password in a network proxy contains any escape character, the environment fails to send network requests through the proxy.
- If you configure an NTP server on an ESXi host with additional parameters along with hostname, such as min_poll or max_poll, the command esxcli system ntp test might fail to resolve the IP address of that server. This issue occurs because in such configurations, the NTP name resolution applies to the entire server config instead of just the host name.
- After upgrading to ESXi 7.0 Update 2 and later, a virtual machine might not discover some USB devices attached to it, such as an Eaton USB UPS, and fail to communicate with the device properly.
- If you clone a VM, including the guest customization specs, move the VMDK file to another datastore and make it thick provisioned, and then power on the VM, the guest OS customization might not be preserved. In the hostd logs, you see an Event Type Description such as The customization component failed to set the required parameters inside the guest operating system.
  The issue occurs because while moving the VMDK file of the cloned VM to another datastore, the new pathName for the guest OS customization might temporarily be the same as the oldPathName and the package gets deleted.
- Improper sizing of the resource needs for the hostd service on an ESXi host might cause some virtual machine-related tasks to fail when you use vSphere APIs for I/O Filtering (VAIO) for VMware or third-party backup applications. For example, when a VAIO filter is attached to one or more virtual disks of a virtual machine, such VMs might fail to perform backups or power-on after a backup.
- A rare file corruption issue might occur when multiple ESXi hosts do a simultaneous file append operation on an NFSv3 datastore. As a result, if you use the Govc open source command-line utility to perform administrative actions on a vCenter instance, you might see reports with inconsistent values. For example, if you run the command govc disk.ls to list all FCDs in a newly created datastore, you see a different number of disks from what you expect.
- In rare cases, when a VMFS volume is closed immediately after it is opened, one of the threads in the opening process might race with a thread in the closing process and take a rare error handling path that can exit without unlocking a locked spinlock. As a result, the ESXi host might fail with a purple diagnostic screen with a message in the backtrace such as: @BlueScreen: VERIFY bora/vmkernel/sched/cpusched.c:11154.
- Due to reservation conflicts, WSFC applications might lose connectivity to a virtual volume-based disk after a rebind operation on that disk.
- In rare situations, the management agent that vSphere HA deploys on ESXi hosts, Fault Domain Manager (FDM), might fail to acquire a vSAN datastore in the first attempt before an exceptional condition, such as power outage, occurs. As a result, vSphere HA failover for virtual machines on that datastore might not be successful. In the vSphere Client, you see a message such as This virtual machine failed to become vSphere HA Protected and HA may not attempt to restart it after a failure. Successive attempts of FDM to acquire the vSAN datastore might also fail.
- In the sustainability metrics in VMware vRealize Operations, you might see the value of Power|Total Energy (Wh) per virtual machine higher than the ESXi host on which the VM is hosted. The issue occurs because after measuring the total energy consumed by the VM, the power.energy performance counter is calculated and reported in millijoules instead of joules.
- In ESXi hosts running on AMD processors, Windows virtual machines of hardware version 19 with VBS enabled might fail with a blue diagnostic screen due to a processor mode misconfiguration error. In the vmware.log file, you see errors such as vcpu-0 - WinBSOD: Synthetic MSR[0xx0000x00] 0xxxx.
- Due to an internal error, even if a CPU model is listed as supported in the VMware Compatibility Guide, in the vSphere Client you might see a warning such as The CPU on the host is not supported by the image during a compliance scan by using a vSphere Lifecycle Manager image. The warning does not prevent you from completing an update or upgrade.
- When you migrate virtual machines with VBS enabled that reside on ESXi hosts running on AMD processors, such VMs might fail with a blue diagnostic screen on the target host due to a guest interruptibility state error.
- When you override a networking policy such as Teaming, Security, or Shaping for a port group, and then revert the change, after a reboot of the ESXi host, you might still see the override setting. For example, if you accept promiscuous mode activation on a port group level, then revert the mode back to Reject, and reboot the ESXi host, the setting is still Accept.
- Your remote web server might contain an HTML form field that has an input of type password and username where the autocomplete attribute is not set to off. As a result, you might see a warning by security scanners such as AutoComplete Attribute Not Disabled for Password in Form Based Authentication. The setting of the autocomplete attribute to on does not directly put a risk on web servers, but in certain browsers, user credentials in such forms might be saved and potentially lead to a loss of confidentiality.
- vSAN Distributed File System (vDFS) objects do not support IOPS limit. You cannot set the IOPS limit for vSAN file service objects.
- In vSphere Client, when you navigate to Configure > Hardware > Overview, for some servers you do not see any asset tag listed.
- When you upgrade a vSAN host from a pre-6.2 release to 7.0 or later, the VMkernel port tagging for vSAN might be lost. If this occurs, vSAN networking configuration is missing after the upgrade.
- You cannot enable vSAN File Service if the vCenter does not have Internet access.
- In rare cases, when a data breakpoint is enabled in the guest OS of virtual machines, during checkpoint resume or after a vSphere vMotion migration, an internal virtualization data structure might be accessed before it is allocated. As a result, the virtual machines crash with core dump and an error such as:
  
  vcpu-1:VMM fault 14: src=MONITOR rip=0xfffffffffc0XXe00 regs=0xfffffffffcXXXdc0 LBR stack=0xfffffffffcXXXaXX.
- When NICs using the ntg3 driver such as Broadcom BCM5719 and BCM5720 are connected to certain models of Dell switches, including but not limited to S4128T-ON and S3048-ON, such NICs might incorrectly drop some of the received packets greater than 6700 bytes. This might cause very low network performance or loss of connectivity.
- In case of an extended header format in the NVMe to SCSI translation layer, third-party multipathing plug-ins such as PowerPath might not account for the extended header size of 4 bytes. As a result, in the vmkernel.log, you see an Invalid length RTPG Descriptor warning.
- When installing ESXi or creating a VMFS datastore on an NVMe device, the native NVMe driver might need to handle a Compare and Write fused operation. According to NVMe specs, the Compare and Write commands must be inserted next to each other in the same Submission Queue, and the Submission Queue Tail doorbell pointer update must indicate both commands as part of one doorbell update. The native NVMe driver puts the two commands together in one Submission Queue, but writes the doorbell for each command separately. As a result, the device firmware might complete the fused commands with an error and fail to create a VMFS datastore. Since creating a VMFS datastore on a device is a prerequisite for successful ESXi installation, you might not be able to install ESXi on such NVMe devices.
- If the vSAN health check indicates that an NVMe device cannot be identified, the warning might not be cleared after you correctly select the device model.

ESXi-7.0U3l-21422485-standard

Profile Name	ESXi-7.0U3l-21422485-standard
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	March 30, 2023
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_esx-dvfilter-generic-fastpath_7.0.3-0.80.21422485 VMware_bootbank_vdfs_7.0.3-0.80.21422485 VMware_bootbank_cpu-microcode_7.0.3-0.80.21422485 VMware_bootbank_crx_7.0.3-0.80.21422485 VMware_bootbank_esx-xserver_7.0.3-0.80.21422485 VMware_bootbank_vsanhealth_7.0.3-0.80.21422485 VMware_bootbank_vsan_7.0.3-0.80.21422485 VMware_bootbank_esx-ui_2.9.2-21141530 VMware_bootbank_esxio-combiner_7.0.3-0.80.21422485 VMware_bootbank_native-misc-drivers_7.0.3-0.80.21422485 VMware_bootbank_esx-base_7.0.3-0.80.21422485 VMware_bootbank_gc_7.0.3-0.80.21422485 VMware_bootbank_bmcal_7.0.3-0.80.21422485 VMware_bootbank_trx_7.0.3-0.80.21422485 VMware_bootbank_loadesx_7.0.3-0.80.21422485 VMware_bootbank_esx-update_7.0.3-0.80.21422485 VMware_locker_tools-light_12.1.5.20735119-21422485
PRs Fixed	3091480
Related CVE numbers	CVE-2023-1017, CVE-2023-1018

This patch updates the following issues:
- The Python package is updated to versions 3.8.16/3.5.10.
- The ESXi userworld libxml2 library is updated to version 2.10.3.
- The cURL library is updated to version 7.86.0.
- The Expat XML parser is updated to version 2.5.0.
- The SQLite database is updated to version 3.40.1.
- The zlib library is updated to 1.2.13.
- The following VMware Tools ISO images are bundled with ESXi 7.0 Update 3l:
  - windows.iso: VMware Tools 12.1.5 supports Windows 7 SP1 or Windows Server 2008 R2 SP1 and later.
  - linux.iso: VMware Tools 10.3.25 ISO image for Linux OS with glibc 2.11 or later.
  The following VMware Tools ISO images are available for download:
  - VMware Tools 11.0.6:
    - windows.iso: for Windows Vista (SP2) and Windows Server 2008 Service Pack 2 (SP2).
  - VMware Tools 10.0.12:
    - winPreVista.iso: for Windows 2000, Windows XP, and Windows 2003.
    - linuxPreGLibc25.iso: supports Linux guest operating systems earlier than Red Hat Enterprise Linux (RHEL) 5, SUSE Linux Enterprise Server (SLES) 11, Ubuntu 7.04, and other distributions with glibc version earlier than 2.5.
  - solaris.iso: VMware Tools image 10.3.10 for Solaris.
  - darwin.iso: Supports Mac OS X versions 10.11 and later. VMware Tools 12.1.0 was the last regular release for macOS. Refer VMware knowledge base article 88698 for details.
  Follow the procedures listed in the following documents to download VMware Tools for platforms not bundled with ESXi:

ESXi-7.0U3l-21422485-no-tools

Profile Name	ESXi-7.0U3l-21422485-no-tools
Build	For build information, see Patches Contained in this Release.
Vendor	VMware, Inc.
Release Date	March 30, 2023
Acceptance Level	PartnerSupported
Affected Hardware	N/A
Affected Software	N/A
Affected VIBs	VMware_bootbank_esx-dvfilter-generic-fastpath_7.0.3-0.80.21422485 VMware_bootbank_vdfs_7.0.3-0.80.21422485 VMware_bootbank_cpu-microcode_7.0.3-0.80.21422485 VMware_bootbank_crx_7.0.3-0.80.21422485 VMware_bootbank_esx-xserver_7.0.3-0.80.21422485 VMware_bootbank_vsanhealth_7.0.3-0.80.21422485 VMware_bootbank_vsan_7.0.3-0.80.21422485 VMware_bootbank_esx-ui_2.9.2-21141530 VMware_bootbank_esxio-combiner_7.0.3-0.80.21422485 VMware_bootbank_native-misc-drivers_7.0.3-0.80.21422485 VMware_bootbank_esx-base_7.0.3-0.80.21422485 VMware_bootbank_gc_7.0.3-0.80.21422485 VMware_bootbank_bmcal_7.0.3-0.80.21422485 VMware_bootbank_trx_7.0.3-0.80.21422485 VMware_bootbank_loadesx_7.0.3-0.80.21422485 VMware_bootbank_esx-update_7.0.3-0.80.21422485
PRs Fixed	3091480
Related CVE numbers	CVE-2023-1017, CVE-2023-1018

This patch updates the following issues:
- The Python package is updated to versions 3.8.16/3.5.10.
- The ESXi userworld libxml2 library is updated to version 2.10.3.
- The cURL library is updated to version 7.86.0.
- The Expat XML parser is updated to version 2.5.0.
- The SQLite database is updated to version 3.40.1.
- The zlib library is updated to 1.2.13.
- The following VMware Tools ISO images are bundled with ESXi 7.0 Update 3l:
  - windows.iso: VMware Tools 12.1.5 supports Windows 7 SP1 or Windows Server 2008 R2 SP1 and later.
  - linux.iso: VMware Tools 10.3.25 ISO image for Linux OS with glibc 2.11 or later.
  The following VMware Tools ISO images are available for download:
  - VMware Tools 11.0.6:
    - windows.iso: for Windows Vista (SP2) and Windows Server 2008 Service Pack 2 (SP2).
  - VMware Tools 10.0.12:
    - winPreVista.iso: for Windows 2000, Windows XP, and Windows 2003.
    - linuxPreGLibc25.iso: supports Linux guest operating systems earlier than Red Hat Enterprise Linux (RHEL) 5, SUSE Linux Enterprise Server (SLES) 11, Ubuntu 7.04, and other distributions with glibc version earlier than 2.5.
  - solaris.iso: VMware Tools image 10.3.10 for Solaris.
  - darwin.iso: Supports Mac OS X versions 10.11 and later. VMware Tools 12.1.0 was the last regular release for macOS. Refer VMware knowledge base article 88698 for details.
  Follow the procedures listed in the following documents to download VMware Tools for platforms not bundled with ESXi:

ESXi70U3l-21424296

Name	ESXi
Version	ESXi70U3l-21424296
Release Date	March 30, 2023
Category	Bugfix
Affected Components	ESXi Component - core ESXi VIBs ESXi Install/Upgrade Component Broadcom NetXtreme I ESX VMKAPI ethernet driver Non-Volatile memory controller driver USB Native Driver for VMware
PRs Fixed	3057026, 3062185, 3040049, 3061156, 3023389, 3062861, 3089449, 3081870, 3082900, 3033157, 3090683, 3075786, 3074392, 3081275, 3080022, 3083314, 3084812, 3074360, 3092270, 3076977, 3051685, 3082477, 3082282, 3082427, 3077163, 3087219, 3074187, 3082431, 3050562, 3072430, 3077072, 3077060, 3046875, 3082991, 3083473, 3051059, 3091256, 3074912, 3058993, 3063987, 3072500, 3060661, 3076188, 3049652, 2902475, 3087946, 3116848, 3010502, 3118090, 3078875, 3069298, 3074121, 3083426, 3086841, 3104368, 3061328
Related CVE numbers	CVE-2023-1017, CVE-2023-1018

ESXi70U3sl-21422485

Name	ESXi
Version	ESXi70U3sl-21422485
Release Date	March 30, 2023
Category	Security
Affected Components	ESXi Component - core ESXi VIBs ESXi Install/Upgrade Component ESXi Tools Component
PRs Fixed	3091480
Related CVE numbers	CVE-2023-1017, CVE-2023-1018

Known Issues

The known issues are grouped as follows.

Installation, Upgrade and Migration Issues
Known Issues from Previous Releases

Installation, Upgrade and Migration Issues

After an upgrade to ESXi 7.0 Update 3l, some ESXi hosts and virtual machines connected to virtual switches might lose network
After an upgrade to ESXi 7.0 Update 3l, some ESXi hosts, their VMs, and other VMkernel ports, such as ports used by vSAN and vSphere Replication, which are connected to virtual switches, might lose connectivity due to an unexpected change in the NIC teaming policy. For example, the teaming policy on a portgroup might change to Route Based on Originating Virtual Port from Route Based on IP Hash. As a result, such a portgroup might lose network connectivity and some ESXi hosts and their VMs become inaccessible.

Workaround: See VMware knowledge base article 91887.
After upgrading the ntg3 driver to version 4.1.9.0-4vmw, Broadcom NICs with fiber physical connectivity might lose network
Changes in the ntg3 driver version 4.1.9.0-4vmw might cause link issues for the fiber physical layer and connectivity on some NICs, such as Broadcom 1Gb, fails to come up.

Workaround: See VMware knowledge base article 92035.
Corrupted VFAT partitions from a vSphere 6.7 environment might cause upgrades to ESXi 7.x to fail
Due to corrupted VFAT partitions from a vSphere 6.7 environment, repartitioning the boot disks of an ESXi host might fail during an upgrade to ESXi 7.x. As a result, you might see the following errors:
When upgrading to ESXi 7.0 Update 3l, the operation fails with a purple diagnostic screen and/or an error such as:
- An error occurred while backing up VFAT partition files before re-partitioning: Failed to calculate size for temporary Ramdisk: <error>.
- An error occurred while backing up VFAT partition files before re-partitioning: Failed to copy files to Ramdisk: <error>.
  If you use an ISO installer, you see the errors, but no purple diagnostic screen.
When upgrading to an ESXi 7.x version earlier than 7.0 Update 3l, you might see:
- Logs such as ramdisk (root) is full in the vmkwarning.log file.
- Unexpected rollback to ESXi 6.5 or 6.7 on reboot.
- The /bootbank,/altbootbank, and ESX-OSData partitions are not present.
Workaround: You must first remediate the corrupted partitions before completing the upgrade to ESXi 7.x. For more details, see VMware knowledge base article 91136.

Known Issues from Previous Releases

To view a list of previous known issues, click here.

The earlier known issues are grouped as follows.

vSAN Issues
vSphere Cluster Services Issues
Installation, Upgrade, and Migration Issues
Security Features Issues
Networking Issues
Storage Issues
vCenter Server and vSphere Client Issues
Virtual Machine Management Issues
vSphere HA and Fault Tolerance Issues
vSphere Lifecycle Manager Issues
Miscellaneous Issues
vSphere Client Issues

vSAN Issues

If you change the preferred site in a VMware vSAN Stretched Cluster, some objects might incorrectly appear as compliant
If you change the preferred site in a stretched cluster, some objects might incorrectly appear as compliant, because their policy settings might not automatically change. For example, if you configure a virtual machine to keep data at the preferred site, when you change the preferred site, data might remain on the nonpreferred site.

Workaround: Before you change a preferred site, in Advanced Settings, lower the ClomMaxCrawlCycleMinutes setting to 15 min to make sure objects policies are updated. After the change, revert the ClomMaxCrawlCycleMinutes option to the earlier value.

vSphere Cluster Services Issues

You see compatibility issues in new vCLS VMs deployed in vSphere 7.0 Update 3 environment
The default name for new vCLS VMs deployed in vSphere 7.0 Update 3 environment uses the pattern vCLS-UUID. vCLS VMs created in earlier vCenter Server versions continue to use the pattern vCLS (n). Since the use of parenthesis () is not supported by many solutions that interoperate with vSphere, you might see compatibility issues.

Workaround: Reconfigure vCLS by using retreat mode after updating to vSphere 7.0 Update 3.

Installation, Upgrade, and Migration Issues

The vCenter Upgrade/Migration pre-checks fail with "Unexpected error 87"
The vCenter Server Upgrade/Migration pre-checks fail when the Security Token Service (STS) certificate does not contain a Subject Alternative Name (SAN) field. This situation occurs when you have replaced the vCenter 5.5 Single Sign-On certificate with a custom certificate that has no SAN field, and you attempt to upgrade to vCenter Server 7.0. The upgrade considers the STS certificate invalid and the pre-checks prevent the upgrade process from continuing.

Workaround: Replace the STS certificate with a valid certificate that contains a SAN field then proceed with the vCenter Server 7.0 Upgrade/Migration.
Problems upgrading to vSphere 7.0 with pre-existing CIM providers
After upgrade, previously installed 32-bit CIM providers stop working because ESXi requires 64-bit CIM providers. Customers may lose management API functions related to CIMPDK, NDDK (native DDK), HEXDK, VAIODK (IO filters), and see errors related to uwglibc dependency.
The syslog reports module missing, "32 bit shared libraries not loaded."

Workaround: There is no workaround. The fix is to download new 64-bit CIM providers from your vendor.
Installation of 7.0 Update 1 drivers on ESXi 7.0 hosts might fail
You cannot install drivers applicable to ESXi 7.0 Update 1 on hosts that run ESXi 7.0 or 7.0b.
The operation fails with an error, such as:
VMW_bootbank_qedrntv_3.40.4.0-12vmw.701.0.0.xxxxxxx requires vmkapi_2_7_0_0, but the requirement cannot be satisfied within the ImageProfile. Please refer to the log file for more details.

Workaround: Update the ESXi host to 7.0 Update 1. Retry the driver installation.
UEFI booting of ESXi hosts might stop with an error during an update to ESXi 7.0 Update 2 from an earlier version of ESXi 7.0
If you attempt to update your environment to 7.0 Update 2 from an earlier version of ESXi 7.0 by using vSphere Lifecycle Manager patch baselines, UEFI booting of ESXi hosts might stop with an error such as:
Loading /boot.cfg Failed to load crypto64.efi Fatal error: 15 (Not found)

Workaround: For more information, see VMware knowledge base articles 83063 and 83107 .
If legacy VIBs are in use on an ESXi host, vSphere Lifecycle Manager cannot extract a desired software specification to seed to a new cluster
With vCenter Server 7.0 Update 2, you can create a new cluster by importing the desired software specification from a single reference host. However, if legacy VIBs are in use on an ESXi host, vSphere Lifecycle Manager cannot extract in the vCenter Server instance where you create the cluster a reference software specification from such a host. In the /var/log/lifecycle.log, you see messages such as:
020-11-11T06:54:03Z lifecycle: 1000082644: HostSeeding:499 ERROR Extract depot failed: Checksum doesn't match. Calculated 5b404e28e83b1387841bb417da93c8c796ef2497c8af0f79583fd54e789d8826, expected: 0947542e30b794c721e21fb595f1851b247711d0619c55489a6a8cae6675e796 2020-11-11T06:54:04Z lifecycle: 1000082644: imagemanagerctl:366 ERROR Extract depot failed. 2020-11-11T06:54:04Z lifecycle: 1000082644: imagemanagerctl:145 ERROR [VibChecksumError]

Workaround: Follow the steps described in VMware knowledge base article 83042.
You see a short burst of log messages in the syslog.log after every ESXi boot
After updating to ESXi 7.0 Update 2, you might see a short burst of log messages after every ESXi boot.
Such logs do not indicate any issue with ESXi and you can ignore these messages. For example:
2021-01-19T22:44:22Z watchdog-vaai-nasd: '/usr/lib/vmware/nfs/bin/vaai-nasd -f' exited after 0 seconds (quick failure 127) 1 2021-01-19T22:44:22Z watchdog-vaai-nasd: Executing '/usr/lib/vmware/nfs/bin/vaai-nasd -f' 2021-01-19T22:44:22.990Z aainasd[1000051135]: Log for VAAI-NAS Daemon for NFS version=1.0 build=build-00000 option=DEBUG 2021-01-19T22:44:22.990Z vaainasd[1000051135]: DictionaryLoadFile: No entries loaded by dictionary. 2021-01-19T22:44:22.990Z vaainasd[1000051135]: DictionaryLoad: Cannot open file "/usr/lib/vmware/config": No such file or directory. 2021-01-19T22:44:22.990Z vaainasd[1000051135]: DictionaryLoad: Cannot open file "//.vmware/config": No such file or directory. 2021-01-19T22:44:22.990Z vaainasd[1000051135]: DictionaryLoad: Cannot open file "//.vmware/preferences": No such file or directory. 2021-01-19T22:44:22.990Z vaainasd[1000051135]: Switching to VMware syslog extensions 2021-01-19T22:44:22.992Z vaainasd[1000051135]: Loading VAAI-NAS plugin(s). 2021-01-19T22:44:22.992Z vaainasd[1000051135]: DISKLIB-PLUGIN : Not loading plugin /usr/lib/vmware/nas_plugins/lib64: Not a shared library.

Workaround: None
You see warning messages for missing VIBs in vSphere Quick Boot compatibility check reports
After you upgrade to ESXi 7.0 Update 2, if you check vSphere Quick Boot compatibility of your environment by using the /usr/lib/vmware/loadesx/bin/loadESXCheckCompat.py command, you might see some warning messages for missing VIBs in the shell. For example:
Cannot find VIB(s) ... in the given VIB collection. Ignoring missing reserved VIB(s) ..., they are removed from reserved VIB IDs.
Such warnings do not indicate a compatibility issue.

Workaround: The missing VIB messages can be safely ignored and do not affect the reporting of vSphere Quick Boot compatibility. The final output line of the loadESXCheckCompat command unambiguously indicates if the host is compatible.
Auto bootstrapping a cluster that you manage with a vSphere Lifecycle Manager image fails with an error
If you attempt auto bootstrapping a cluster that you manage with a vSphere Lifecycle Manager image to perform a stateful install and overwrite the VMFS partitions, the operation fails with an error. In the support bundle, you see messages such as:
2021-02-11T19:37:43Z Host Profiles[265671 opID=MainThread]: ERROR: EngineModule::ApplyHostConfig. Exception: [Errno 30] Read-only file system

Workaround: Follow vendor guidance to clean the VMFS partition in the target host and retry the operation. Alternatively, use an empty disk. For more information on the disk-partitioning utility on ESXi, see VMware knowledge base article 1036609.
Upgrades to ESXi 7.x from 6.5.x and 6.7.0 by using ESXCLI might fail due to a space limitation
Upgrades to ESXi 7.x from 6.5.x and 6.7.0 by using the esxcli software profile update or esxcli software profile install ESXCLI commands might fail, because the ESXi bootbank might be less than the size of the image profile. In the ESXi Shell or the PowerCLI shell, you see an error such as:
```
[InstallationError]
 The pending transaction requires 244 MB free space, however the maximum supported size is 239 MB.
 Please refer to the log file for more details.
```
The issue also occurs when you attempt an ESXi host upgrade by using the ESXCLI commands esxcli software vib update or esxcli software vib install.

Workaround: You can perform the upgrade in two steps, by using the esxcli software profile update command to update ESXi hosts to ESXi 6.7 Update 1 or later, and then update to 7.0 Update 1c. Alternatively, you can run an upgrade by using an ISO image and the vSphere Lifecycle Manager.
You cannot migrate linked clones across vCenter Servers
If you migrate a linked clone across vCenter Servers, operations such as power on and delete might fail for the source virtual machine with an Invalid virtual machine state error.

Workaround: Keep linked clones on the same vCenter Server as the source VM. Alternatively, promote the linked clone to full clone before migration.
Migration across vCenter Servers of virtual machines with many virtual disks and snapshot levels to a datastore on NVMe over TCP storage might fail
Migration across vCenter Servers of virtual machines with more than 180 virtual disks and 32 snapshot levels to a datastore on NVMe over TCP storage might fail. The ESXi host preemptively fails with an error such as The migration has exceeded the maximum switchover time of 100 second(s).

Workaround: None
A virtual machine with enabled Virtual Performance Monitoring Counters (VPMC) might fail to migrate between ESXi hosts
If you try to migrate a virtual machine with enabled VPMC by using vSphere vMotion, the operation might fail if the target host is using some of the counters to compute memory or performance statistics. The operation fails with an error such as A performance counter used by the guest is not available on the host CPU.

Workaround: Power off the virtual machine and use cold migration. For more information, see VMware knowledge base article 81191.
If a live VIB install, upgrade, or remove operation immediately precedes an interactive or scripted upgrade to ESXi 7.0 Update 3 by using the installer ISO, the upgrade fails
When a VIB install, upgrade, or remove operation immediately precedes an interactive or scripted upgrade to ESXi 7.0 Update 3 by using the installer ISO, the ConfigStore might not keep some configurations of the upgrade. As a result, ESXi hosts become inaccessible after the upgrade operation, although the upgrade seems successful. To prevent this issue, the ESXi 7.0 Update 3 installer adds a temporary check to block such scenarios. In the ESXi installer console, you see the following error message: Live VIB installation, upgrade or removal may cause subsequent ESXi upgrade to fail when using the ISO installer.

Workaround: Use an alternative upgrade method to avoid the issue, such as using ESXCLI or the vSphere Lifecycle Manager.
Smart Card and RSA SecurID authentication might stop working after upgrading to vCenter Server 7.0
If you have configured vCenter Server for either Smart Card or RSA SecurID authentication, see the VMware knowledge base article at https://kb.vmware.com/s/article/78057 before starting the vSphere 7.0 upgrade process. If you do not perform the workaround as described in the KB, you might see the following error messages and Smart Card or RSA SecurID authentication does not work.

"Smart card authentication may stop working. Smart card settings may not be preserved, and smart card authentication may stop working."

or

"RSA SecurID authentication may stop working. RSA SecurID settings may not be preserved, and RSA SecurID authentication may stop working."

Workaround: Before upgrading to vSphere 7.0, see the VMware knowledge base article at https://kb.vmware.com/s/article/78057.
The vlanid property in custom installation scripts might not work
If you use a custom installation script that sets the vlanid property to specify a desired VLAN, the property might not take effect on newly installed ESXi hosts. The issue occurs only when a physical NIC is already connected to DHCP when the installation starts. The vlanid property works properly when you use a newly connected NIC.

Workaround: Manually set the VLAN from the Direct Console User Interface after you boot the ESXi host. Alternatively, disable the physical NIC and then boot the host.
HPE servers with Trusted Platform Module (TPM) boot, but remote attestation fails
Some HPE servers do not have enough event log space to properly finish TPM remote attestation. As a result, the VMkernel boots, but remote attestation fails due to the truncated log.

Workaround: None.
Upgrading a vCenter Server with an external Platform Services Controller from 6.7u3 to 7.0 fails with VMAFD error
When you upgrade a vCenter Server deployment using an external Platform Services Controller, you converge the Platform Services Controller into a vCenter Server appliance. If the upgrade fails with the error install.vmafd.vmdir_vdcpromo_error_21, the VMAFD firstboot process has failed. The VMAFD firstboot process copies the VMware Directory Service Database (data.mdb) from the source Platform Services Controller and replication partner vCenter Server appliance.

Workaround: Disable TCP Segmentation Offload (TSO) and Generic Segmentation Offload (GSO) on the Ethernet adapter of the source Platform Services Controller or replication partner vCenter Server appliance before upgrading a vCenter Server with an external Platform Services Controller. See Knowledge Base article: https://kb.vmware.com/s/article/74678
Smart card and RSA SecurID settings may not be preserved during vCenter Server upgrade
Authentication using RSA SecurID will not work after upgrading to vCenter Server 7.0. An error message will alert you to this issue when attempting to login using your RSA SecurID login.

Workaround: Reconfigure the smart card or RSA SecureID.
Migration of vCenter Server for Windows to vCenter Server appliance 7.0 fails with network error message
Migration of vCenter Server for Windows to vCenter Server appliance 7.0 fails with the error message IP already exists in the network. This prevents the migration process from configuring the network parameters on the new vCenter Server appliance. For more information, examine the log file: /var/log/vmware/upgrade/UpgradeRunner.log

Workaround:
1. Verify that all Windows Updates have been completed on the source vCenter Server for Windows instance, or disable automatic Windows Updates until after the migration finishes.
2. Retry the migration of vCenter Server for Windows to vCenter Server appliance 7.0.
When you configure the number of virtual functions for an SR-IOV device by using the max_vfs module parameter, the changes might not take effect
In vSphere 7.0, you can configure the number of virtual functions for an SR-IOV device by using the Virtual Infrastructure Management (VIM) API, for example, through the vSphere Client. The task does not require reboot of the ESXi host. After you use the VIM API configuration, if you try to configure the number of SR-IOV virtual functions by using the max_vfs module parameter, the changes might not take effect because they are overridden by the VIM API configuration.

Workaround: None. To configure the number of virtual functions for an SR-IOV device, use the same method every time. Use the VIM API or use the max_vfs module parameter and reboot the ESXi host.
Upgraded vCenter Server appliance instance does not retain all the secondary networks (NICs) from the source instance
During a major upgrade, if the source instance of the vCenter Server appliance is configured with multiple secondary networks other than the VCHA NIC, the target vCenter Server instance will not retain secondary networks other than the VCHA NIC. If the source instance is configured with multiple NICs that are part of VDS port groups, the NIC configuration will not be preserved during the upgrade. Configurations for vCenter Server appliance instances that are part of the standard port group will be preserved.

Workaround: None. Manually configure the secondary network in the target vCenter Server appliance instance.
After upgrading or migrating a vCenter Server with an external Platform Services Controller, users authenticating using Active Directory lose access to the newly upgraded vCenter Server instance
After upgrading or migrating a vCenter Server with an external Platform Services Controller, if the newly upgraded vCenter Server is not joined to an Active Directory domain, users authenticating using Active Directory will lose access to the vCenter Server instance.

Workaround: Verify that the new vCenter Server instance has been joined to an Active Directory domain. See Knowledge Base article: https://kb.vmware.com/s/article/2118543
Migrating a vCenter Server for Windows with an external Platform Services Controller using an Oracle database fails
If there are non-ASCII strings in the Oracle events and tasks table the migration can fail when exporting events and tasks data. The following error message is provided: UnicodeDecodeError

Workaround: None.
After an ESXi host upgrade, a Host Profile compliance check shows non-compliant status while host remediation tasks fail
The non-compliant status indicates an inconsistency between the profile and the host.

This inconsistency might occur because ESXi 7.0 does not allow duplicate claim rules, but the profile you use contains duplicate rules. For example, if you attempt to use the Host Profile that you extracted from the host before upgrading ESXi 6.5 or ESXi 6.7 to version 7.0 and the Host Profile contains any duplicate claim rules of system default rules, you might experience the problems.

Workaround:
1. Remove any duplicate claim rules of the system default rules from the Host Profile document.
2. Check the compliance status.
3. Remediate the host.
4. If the previous steps do not help, reboot the host.
Error message displays in the vCenter Server Management Interface
After installing or upgrading to vCenter Server 7.0, when you navigate to the Update panel within the vCenter Server Management Interface, the error message "Check the URL and try again" displays. The error message does not prevent you from using the functions within the Update panel, and you can view, stage, and install any available updates.

Workaround: None.

Security Features Issues

Turn off the Service Location Protocol service in ESXi, slpd, to prevent potential security vulnerabilities
Some services in ESXi that run on top of the host operating system, including slpd, the CIM object broker, sfcbd, and the related openwsmand service, have proven security vulnerabilities. VMware has addressed all known vulnerabilities in VMSA-2019-0022 and VMSA-2020-0023, and the fixes are part of the vSphere 7.0 Update 2 release. While sfcbd and openwsmand are disabled by default in ESXi, slpd is enabled by default and you must turn it off, if not necessary, to prevent exposure to a future vulnerability after an upgrade.

Workaround: To turn off the slpd service, run the following PowerCLI commands:
$ Get-VMHost | Get-VmHostService | Where-Object {$_.key -eq “slpd”} | Set-VMHostService -policy “off” $ Get-VMHost | Get-VmHostService | Where-Object {$_.key -eq “slpd”} | Stop-VMHostService -Confirm:$false

Alternatively, you can use the command chkconfig slpd off && /etc/init.d/slpd stop.

The openwsmand service is not on the ESXi services list and you can check the service state by using the following PowerCLI commands:
$esx=(Get-EsxCli -vmhost xx.xx.xx.xx -v2) $esx.system.process.list.invoke() | where CommandLine -like '*openwsman*' | select commandline

In the ESXi services list, the sfcbd service appears as sfcbd-watchdog.

For more information, see VMware knowledge base articles 76372 and 1025757.
Encrypted virtual machine fails to power on when HA-enabled Trusted Cluster contains an unattested host
In VMware® vSphere Trust Authority™, if you have enabled HA on the Trusted Cluster and one or more hosts in the cluster fails attestation, an encrypted virtual machine cannot power on.

Workaround: Either remove or remediate all hosts that failed attestation from the Trusted Cluster.
Encrypted virtual machine fails to power on when DRS-enabled Trusted Cluster contains an unattested host
In VMware® vSphere Trust Authority™, if you have enabled DRS on the Trusted Cluster and one or more hosts in the cluster fails attestation, DRS might try to power on an encrypted virtual machine on an unattested host in the cluster. This operation puts the virtual machine in a locked state.

Workaround: Either remove or remediate all hosts that failed attestation from the Trusted Cluster.
Migrating or cloning encrypted virtual machines across vCenter Server instances fails when attempting to do so using the vSphere Client
If you try to migrate or clone an encrypted virtual machine across vCenter Server instances using the vSphere Client, the operation fails with the following error message: "The operation is not allowed in the current state."

Workaround: You must use the vSphere APIs to migrate or clone encrypted virtual machines across vCenter Server instances.

Networking Issues

Reduced throughput in networking performance on Intel 82599/X540/X550 NICs
The new queue-pair feature added to ixgben driver to improve networking performance on Intel 82599EB/X540/X550 series NICs might reduce throughput under some workloads in vSphere 7.0 as compared to vSphere 6.7.

Workaround: To achieve the same networking performance as vSphere 6.7, you can disable the queue-pair with a module parameter. To disable the queue-pair, run the command:

# esxcli system module parameters set -p "QPair=0,0,0,0..." -m ixgben

After running the command, reboot.
One or more I/O devices do not generate interrupts when the AMD IOMMU is in use
If the I/O devices on your ESXi host provide more than a total of 512 distinct interrupt sources, some sources are erroneously assigned an interrupt-remapping table entry (IRTE) index in the AMD IOMMU that is greater than the maximum value. Interrupts from such a source are lost, so the corresponding I/O device behaves as if interrupts are disabled.

Workaround: Use the ESXCLI command esxcli system settings kernel set -s iovDisableIR -v true to disable the AMD IOMMU interrupt remapper. Reboot the ESXi host so that the command takes effect.
When you set auto-negotiation on a network adapter, the device might fail
In some environments, if you set link speed to auto-negotiation for network adapters by using the command esxcli network nic set -a -n vmmicx, the devices might fail and reboot does not recover connectivity. The issue is specific to a combination of some Intel X710/X722 network adapters, a SFP+ module and a physical switch, where auto-negotiate speed/duplex scenario is not supported.

Workaround: Make sure you use an Intel-branded SFP+ module. Alternatively, use a Direct Attach Copper (DAC) cable.
Solarflare x2542 and x2541 network adapters configured in 1x100G port mode achieve throughput of up to 70Gbps in a vSphere environment
vSphere 7.0 Update 2 supports Solarflare x2542 and x2541 network adapters configured in 1x100G port mode. However, you might see a hardware limitation in the devices that causes the actual throughput to be up to some 70Gbps in a vSphere environment.

Workaround: None
VLAN traffic might fail after a NIC reset
A NIC with PCI device ID 8086:1537 might stop to send and receive VLAN tagged packets after a reset, for example, with a command vsish -e set /net/pNics/vmnic0/reset 1.

Workaround: Avoid resetting the NIC. If you already face the issue, use the following commands to restore the VLAN capability, for example at vmnic0:
# esxcli network nic software set --tagging=1 -n vmnic0 # esxcli network nic software set --tagging=0 -n vmnic0
Any change in the NetQueue balancer settings causes NetQueue to be disabled after an ESXi host reboot
Any change in the NetQueue balancer settings by using the command esxcli/localcli network nic queue loadbalancer set -n <nicname> --<lb_setting> causes NetQueue, which is enabled by default, to be disabled after an ESXi host reboot.

Workaround: After a change in the NetQueue balancer settings and host reboot, use the command configstorecli config current get -c esx -g network -k nics to retrieve ConfigStore data to verify whether the /esx/network/nics/net_queue/load_balancer/enable is working as expected.

After you run the command, you see output similar to:
{ "mac": "02:00:0e:6d:14:3e", "name": "vmnic1", "net_queue": { "load_balancer": { "dynamic_pool": true, "enable": true } }, "virtual_mac": "00:50:56:5a:21:11" }

If the output is not as expected, for example "load_balancer": "enable": false", run the following command:
esxcli/localcli network nic queue loadbalancer state set -n <nicname> -e true
Paravirtual RDMA (PVRDMA) network adapters do not support NSX networking policies
If you configure an NSX distributed virtual port for use in PVRDMA traffic, the RDMA protocol traffic over the PVRDMA network adapters does not comply with the NSX network policies.

Workaround: Do not configure NSX distributed virtual ports for use in PVRDMA traffic.
Rollback from converged vSphere Distributed Switch (VDS) to NSX-T VDS is not supported in vSphere 7.0 Update 3
Rollback from converged VDS that supports both vSphere 7 traffic and NSX-T 3 traffic on the same VDS to one N-VDS for NSX-T traffic is not supported in vSphere 7.0 Update 3.

Workaround: None
If you do not set the nmlx5 network driver module parameter, network connectivity or ESXi hosts might fail
If you do not set the supported_num_ports module parameter for the nmlx5_core driver on an ESXi host with multiple network adapters of versions Mellanox ConnectX-4, Mellanox ConnectX-5 and Mellanox ConnectX-6, the driver might not allocate sufficient memory for operating all the NIC ports for the host. As a result, you might experience network loss or ESXi host failure with purple diagnostic screen, or both.

Workaround: Set the supported_num_ports module parameter value in the nmlx5_core network driver equal to the total number of Mellanox ConnectX-4, Mellanox ConnectX-5 and Mellanox ConnectX-6 network adapter ports on the ESXi host.
High throughput virtual machines may experience degradation in network performance when Network I/O Control (NetIOC) is enabled
Virtual machines requiring high network throughput can experience throughput degradation when upgrading from vSphere 6.7 to vSphere 7.0 with NetIOC enabled.

Workaround: Adjust the ethernetx.ctxPerDev setting to enable multiple worlds.
IPv6 traffic fails to pass through VMkernel ports using IPsec
When you migrate VMkernel ports from one port group to another, IPv6 traffic does not pass through VMkernel ports using IPsec.

Workaround: Remove the IPsec security association (SA) from the affected server, and then reapply the SA. To learn how to set and remove an IPsec SA, see the vSphere Security documentation.
Higher ESX network performance with a portion of CPU usage increase
ESX network performance may increase with a portion of CPU usage.

Workaround: Remove and add the network interface with only 1 rx dispatch queue. For example:

esxcli network ip interface remove --interface-name=vmk1

esxcli network ip interface add --interface-name=vmk1 --num-rxqueue=1
VM might lose Ethernet traffic after hot-add, hot-remove or storage vMotion
A VM might stop receiving Ethernet traffic after a hot-add, hot-remove or storage vMotion. This issue affects VMs where the uplink of the VNIC has SR-IOV enabled. PVRDMA virtual NIC exhibits this issue when the uplink of the virtual network is a Mellanox RDMA capable NIC and RDMA namespaces are configured.

Workaround: You can hot-remove and hot-add the affected Ethernet NICs of the VM to restore traffic. On Linux guest operating systems, restarting the network might also resolve the issue. If these workarounds have no effect, you can reboot the VM to restore network connectivity.
Change of IP address for a VCSA deployed with static IP address requires that you create the DNS records in advance
With the introduction of the DDNS, the DNS record update only works for VCSA deployed with DHCP configured networking. While changing the IP address of the vCenter server via VAMI, the following error is displayed:

The specified IP address does not resolve to the specified hostname.

Workaround: There are two possible workarounds.
1. Create an additional DNS entry with the same FQDN and desired IP address. Log in to the VAMI and follow the steps to change the IP address.
2. Log in to the VCSA using ssh. Execute the following script:
  ./opt/vmware/share/vami/vami_config_net
  
  Use option 6 to change the IP adddress of eth0. Once changed, execute the following script:
  
  ./opt/likewise/bin/lw-update-dns
  
  Restart all the services on the VCSA to update the IP information on the DNS server.
It may take several seconds for the NSX Distributed Virtual Port Group (NSX DVPG) to be removed after deleting the corresponding logical switch in NSX Manager.
As the number of logical switches increases, it may take more time for the NSX DVPG in vCenter Server to be removed after deleting the corresponding logical switch in NSX Manager. In an environment with 12000 logical switches, it takes approximately 10 seconds for an NSX DVPG to be deleted from vCenter Server.

Workaround: None.
Hostd runs out of memory and fails if a large number of NSX Distributed Virtual port groups are created.
In vSphere 7.0, NSX Distributed Virtual port groups consume significantly larger amounts of memory than opaque networks. For this reason, NSX Distributed Virtual port groups can not support the same scale as an opaque network given the same amount of memory.

Workaround:To support the use of NSX Distributed Virtual port groups, increase the amount of memory in your ESXi hosts. If you verify that your system has adequate memory to support your VMs, you can directly increase the memory of hostd using the following command.

localcli --plugin-dir /usr/lib/vmware/esxcli/int/ sched group setmemconfig --group-path host/vim/vmvisor/hostd --units mb --min 2048 --max 2048

Note that this will cause hostd to use memory normally reserved for your environment's VMs. This may have the affect of reducing the number of VMs your ESXi host can support.
DRS may incorrectly launch vMotion if the network reservation is configured on a VM
If the network reservation is configured on a VM, it is expected that DRS only migrates the VM to a host that meets the specified requirements. In a cluster with NSX transport nodes, if some of the transport nodes join the transport zone by NSX-T Virtual Distributed Switch (N-VDS), and others by vSphere Distributed Switch (VDS) 7.0, DRS may incorrectly launch vMotion. You might encounter this issue when:
- The VM connects to an NSX logical switch configured with a network reservation.
- Some transport nodes join transport zone using N-VDS, and others by VDS 7.0, or, transport nodes join the transport zone through different VDS 7.0 instances.
Workaround: Make all transport nodes join the transport zone by N-VDS or the same VDS 7.0 instance.
When adding a VMkernel NIC (vmknic) to an NSX portgroup, vCenter Server reports the error "Connecting VMKernel adapter to a NSX Portgroup on a Stateless host is not a supported operation. Please use Distributed Port Group instead."
- For stateless ESXi on Distributed Virtual Switch (VDS), the vmknic on a NSX port group is blocked. You must instead use a Distributed Port Group.
- For stateful ESXi on VDS, vmknic on NSX port group is supported, but vSAN may have an issue if it is using vmknic on a NSX port group.
Workaround: Use a Distributed Port Group on the same VDS.
Enabling SRIOV from vCenter for QLogic 4x10GE QL41164HFCU CNA might fail
If you navigate to the Edit Settings dialog for physical network adapters and attempt to enable SR-IOV, the operation might fail when using QLogic 4x10GE QL41164HFCU CNA. Attempting to enable SR-IOV might lead to a network outage of the ESXi host.

Workaround: Use the following command on the ESXi host to enable SRIOV:

esxcfg-module
vCenter Server fails if the hosts in a cluster using Distributed Resource Scheduler (DRS) join NSX-T networking by a different Virtual Distributed Switch (VDS) or combination of NSX-T Virtual Distributed Switch (NVDS) and VDS
In vSphere 7.0, when using NSX-T networking on vSphere VDS with a DRS cluster, if the hosts do not join the NSX transport zone by the same VDS or NVDS, it can cause vCenter Server to fail.

Workaround: Have hosts in a DRS cluster join the NSX transport zone using the same VDS or NVDS.

Storage Issues

VMFS datastores are not mounted automatically after disk hot remove and hot insert on HPE Gen10 servers with SmartPQI controllers
When SATA disks on HPE Gen10 servers with SmartPQI controllers without expanders are hot removed and hot inserted back to a different disk bay of the same machine, or when multiple disks are hot removed and hot inserted back in a different order, sometimes a new local name is assigned to the disk. The VMFS datastore on that disk appears as a snapshot and will not be mounted back automatically because the device name has changed.

Workaround: None. SmartPQI controller does not support unordered hot remove and hot insert operations.

VOMA check on NVMe based VMFS datastores fails with error

VOMA check is not supported for NVMe based VMFS datastores and will fail with the error:

ERROR: Failed to reserve device. Function not implemented

Example:

# voma -m vmfs -f check -d /vmfs/devices/disks/: <partition#>
Running VMFS Checker version 2.1 in check mode
Initializing LVM metadata, Basic Checks will be done

Checking for filesystem activity
Performing filesystem liveness check..|Scanning for VMFS-6 host activity (4096 bytes/HB, 1024 HBs).
ERROR: Failed to reserve device. Function not implemented
Aborting VMFS volume check
VOMA failed to check device : General Error

Workaround: None. If you need to analyse VMFS metadata, collect it using the -l option, and pass to VMware customer support. The command for collecting the dump is:

voma -l -f dump -d /vmfs/devices/disks/:<partition#>

Using the VM reconfigure API to attach an encrypted First Class Disk to an encrypted virtual machine might fail with error
If an FCD and a VM are encrypted with different crypto keys, your attempts to attach the encrypted FCD to the encrypted VM using the VM reconfigure API might fail with the error message:
```
Cannot decrypt disk because key or password is incorrect.
```
Workaround: Use the attachDisk API rather than the VM reconfigure API to attach an encrypted FCD to an encrypted VM.
ESXi host might get in non responding state if a non-head extent of its spanned VMFS datastore enters the Permanent Device Loss (PDL) state
This problem does not occur when a non-head extent of the spanned VMFS datastore fails along with the head extent. In this case, the entire datastore becomes inaccessible and no longer allows I/Os.

In contrast, when only a non-head extent fails, but the head extent remains accessible, the datastore heartbeat appears to be normal. And the I/Os between the host and the datastore continue. However, any I/Os that depend on the failed non-head extent start failing as well. Other I/O transactions might accumulate while waiting for the failing I/Os to resolve, and cause the host to enter the non responding state.

Workaround: Fix the PDL condition of the non-head extent to resolve this issue.
Virtual NVMe Controller is the default disk controller for Windows 10 guest operating systems
The Virtual NVMe Controller is the default disk controller for the following guest operating systems when using Hardware Version 15 or later:

Windows 10
Windows Server 2016
Windows Server 2019

Some features might not be available when using a Virtual NVMe Controller. For more information, see https://kb.vmware.com/s/article/2147714

Note: Some clients use the previous default of LSI Logic SAS. This includes ESXi host client and PowerCLI.

Workaround: If you need features not available on Virtual NVMe, switch to VMware Paravirtual SCSI (PVSCSI) or LSI Logic SAS. For information on using VMware Paravirtual SCSI (PVSCSI), see https://kb.vmware.com/s/article/1010398
After an ESXi host upgrade to vSphere 7.0, presence of duplicate core claim rules might cause unexpected behavior
Claim rules determine which multipathing plugin, such as NMP, HPP, and so on, owns paths to a particular storage device. ESXi 7.0 does not support duplicate claim rules. However, the ESXi 7.0 host does not alert you if you add duplicate rules to the existing claim rules inherited through an upgrade from a legacy release. As a result of using duplicate rules, storage devices might be claimed by unintended plugins, which can cause unexpected outcome.

Workaround: Do not use duplicate core claim rules. Before adding a new claim rule, delete any existing matching claim rule.
A CNS query with the compliance status filter set might take unusually long time to complete
The CNS QueryVolume API enables you to obtain information about the CNS volumes, such as volume health and compliance status. When you check the compliance status of individual volumes, the results are obtained quickly. However, when you invoke the CNS QueryVolume API to check the compliance status of multiple volumes, several tens or hundreds, the query might perform slowly.

Workaround: Avoid using bulk queries. When you need to get compliance status, query one volume at a time or limit the number of volumes in the query API to 20 or fewer. While using the query, avoid running other CNS operations to get the best performance.
A VMFS datastore backed by an NVMe over Fabrics namespace or device might become permanently inaccessible after recovering from an APD or PDL failure
If a VMFS datastore on an ESXi host is backed by an NVMe over Fabrics namespace or device, in case of an all paths down (APD) or permanent device loss (PDL) failure, the datastore might be inaccessible even after recovery. You cannot access the datastore from either the ESXi host or the vCenter Server system.

Workaround: To recover from this state, perform a rescan on a host or cluster level. For more information, see Perform Storage Rescan.
Deleted CNS volumes might temporarily appear as existing in the CNS UI
After you delete an FCD disk that backs a CNS volume, the volume might still show up as existing in the CNS UI. However, your attempts to delete the volume fail. You might see an error message similar to the following:
The object or item referred to could not be found.

Workaround: The next full synchronization will resolve the inconsistency and correctly update the CNS UI.
Attempts to attach multiple CNS volumes to the same pod might occasionally fail with an error
When you attach multiple volumes to the same pod simultaneously, the attach operation might occasionally choose the same controller slot. As a result, only one of the operations succeeds, while other volume mounts fail.

Workaround: After Kubernetes retries the failed operation, the operation succeeds if a controller slot is available on the node VM.
Under certain circumstances, while a CNS operation fails, the task status appears as successful in the vSphere Client
This might occur when, for example, you use an incompliant storage policy to create a CNS volume. The operation fails, while the vSphere Client shows the task status as successful.

Workaround: The successful task status in the vSphere Client does not guarantee that the CNS operation succeeded. To make sure the operation succeeded, verify its results.
Unsuccessful delete operation for a CNS persistent volume might leave the volume undeleted on the vSphere datastore
This issue might occur when the CNS Delete API attempts to delete a persistent volume that is still attached to a pod. For example, when you delete the Kubernetes namespace where the pod runs. As a result, the volume gets cleared from CNS and the CNS query operation does not return the volume. However, the volume continues to reside on the datastore and cannot be deleted through the repeated CNS Delete API operations.

Workaround: None.

vCenter Server and vSphere Client Issues

Vendor providers go offline after a PNID change
When you change the vCenter IP address (PNID change), the registered vendor providers go offline.

Workaround: Re-register the vendor providers.
Cross vCenter migration of a virtual machine fails with an error
When you use cross vCenter vMotion to move a VM's storage and host to a different vCenter server instance, you might receive the error The operation is not allowed in the current state.

This error appears in the UI wizard after the Host Selection step and before the Datastore Selection step, in cases where the VM has an assigned storage policy containing host-based rules such as encryption or any other IO filter rule.

Workaround: Assign the VM and its disks to a storage policy without host-based rules. You might need to decrypt the VM if the source VM is encrypted. Then retry the cross vCenter vMotion action.
Storage Sensors information in Hardware Health tab shows incorrect values on vCenter UI, host UI, and MOB
When you navigate to Host > Monitor > Hardware Health > Storage Sensors on vCenter UI, the storage information displays either incorrect or unknown values. The same issue is observed on the host UI and the MOB path “runtime.hardwareStatusInfo.storageStatusInfo” as well.

Workaround: None.
vSphere UI host advanced settings shows the current product locker location as empty with an empty default
vSphere UI host advanced settings shows the current product locker location as empty with an empty default. This is inconsistent as the actual product location symlink is created and valid. This causes confusion to the user. The default cannot be corrected from UI.

Workaround: User can use the esxcli command on the host to correct the current product locker location default as below.

1. Remove the existing Product Locker Location setting with: "esxcli system settings advanced remove -o ProductLockerLocation"

2. Re-add the Product Locker Location setting with the appropriate default:

2.a. If the ESXi is a full installation, the default value is "/locker/packages/vmtoolsRepo" export PRODUCT_LOCKER_DEFAULT="/locker/packages/vmtoolsRepo"

2.b. If the ESXi is a PXEboot configuration such as autodeploy, the default value is: "/vmtoolsRepo" export PRODUCT_LOCKER_DEFAULT="/vmtoolsRepo"

Run the following command to automatically figure out the location: export PRODUCT_LOCKER_DEFAULT=`readlink /productLocker`

Add the setting: esxcli system settings advanced add -d "Path to VMware Tools repository" -o ProductLockerLocation -t string -s $PRODUCT_LOCKER_DEFAULT

You can combine all the above steps in step 2 by issuing the single command:

esxcli system settings advanced add -d "Path to VMware Tools repository" -o ProductLockerLocation -t string -s `readlink /productLocker`
Linked Software-Defined Data Center (SDDC) vCenter Server instances appear in the on-premises vSphere Client if a vCenter Cloud Gateway is linked to the SDDC.
When a vCenter Cloud Gateway is deployed in the same environment as an on-premises vCenter Server, and linked to an SDDC, the SDDC vCenter Server will appear in the on-premises vSphere Client. This is unexpected behavior and the linked SDDC vCenter Server should be ignored. All operations involving the linked SDDC vCenter Server should be performed on the vSphere Client running within the vCenter Cloud Gateway.

Workaround: None.

Virtual Machine Management Issues

UEFI HTTP booting of virtual machines on ESXi hosts of version earlier than 7.0 Update 2 fails
UEFI HTTP booting of virtual machines is supported only on hosts of version ESXi 7.0 Update 2 and later and VMs with HW version 19 or later.

Workaround: Use UEFI HTTP booting only in virtual machines with HW version 19 or later. Using HW version 19 ensures the virtual machines are placed only on hosts with ESXi version 7.0 Update 2 or later.
Virtual machine snapshot operations fail in vSphere Virtual Volumes datastores on Purity version 5.3.10
Virtual machine snapshot operations fail in vSphere Virtual Volumes datastores on Purity version 5.3.10 with an error such as An error occurred while saving the snapshot: The VVol target encountered a vendor specific error. The issue is specific for Purity version 5.3.10.

Workaround: Upgrade to Purity version 6.1.7 or follow vendor recommendations.
The postcustomization section of the customization script runs before the guest customization
When you run the guest customization script for a Linux guest operating system, the precustomization section of the customization script that is defined in the customization specification runs before the guest customization and the postcustomization section runs after that. If you enable Cloud-Init in the guest operating system of a virtual machine, the postcustomization section runs before the customization due to a known issue in Cloud-Init.

Workaround: Disable Cloud-Init and use the standard guest customization.
Group migration operations in vSphere vMotion, Storage vMotion, and vMotion without shared storage fail with error
When you perform group migration operations on VMs with multiple disks and multi-level snapshots, the operations might fail with the error com.vmware.vc.GenericVmConfigFault Failed waiting for data. Error 195887167. Connection closed by remote host, possibly due to timeout.

Workaround: Retry the migration operation on the failed VMs one at a time.
Deploying an OVF or OVA template from a URL fails with a 403 Forbidden error
The URLs that contain an HTTP query parameter are not supported. For example, http://webaddress.com?file=abc.ovf or the Amazon pre-signed S3 URLs.

Workaround: Download the files and deploy them from your local file system.
The third level of nested objects in a virtual machine folder is not visible
Perform the following steps:
1. Navigate to a data center and create a virtual machine folder.
2. In the virtual machine folder, create a nested virtual machine folder.
3. In the second folder, create another nested virtual machine, virtual machine folder, vApp, or VM Template.
As a result, from the VMs and Templates inventory tree you cannot see the objects in the third nested folder.

Workaround: To see the objects in the third nested folder, navigate to the second nested folder and select the VMs tab.

vSphere HA and Fault Tolerance Issues

VMs in a cluster might be orphaned after recovering from storage inaccessibility such as a cluster wide APD
Some VMs might be in orphaned state after cluster wide APD recovers, even if HA and VMCP are enabled on the cluster.

This issue might be encountered when the following conditions occur simultaneously:
- All hosts in the cluster experience APD and do not recover until VMCP timeout is reached.
- HA primary initiates failover due to APD on a host.
- Power on API during HA failover fails due to one of the following:
  - APD across the same host
  - Cascading APD across the entire cluster
  - Storage issues
  - Resource unavailability
- FDM unregistration and VCs steal VM logic might initiate during a window where FDM has not unregistered the failed VM and VC's host synchronization responds that multiple hosts are reporting the same VM. Both FDM and VC unregister the different registered copies of the same VM from different hosts, causing the VM to be orphaned.
Workaround: You must unregister and reregister the orphaned VMs manually within the cluster after the APD recovers.

If you do not manually reregister the orphaned VMs, HA attempts failover of the orphaned VMs, but it might take between 5 to 10 hours depending on when APD recovers.

The overall functionality of the cluster is not affected in these cases and HA will continue to protect the VMs. This is an anomaly in what gets displayed on VC for the duration of the problem.

vSphere Lifecycle Manager Issues

You cannot enable NSX-T on a cluster that is already enabled for managing image setup and updates on all hosts collectively
NSX-T is not compatible with the vSphere Lifecycle Manager functionality for image management. When you enable a cluster for image setup and updates on all hosts in the cluster collectively, you cannot enable NSX-T on that cluster. However, you can deploy NSX Edges to this cluster.

Workaround: Move the hosts to a new cluster that you can manage with baselines and enable NSX-T on that new cluster.
vSphere Lifecycle Manager and vSAN File Services cannot be simultaneously enabled on a vSAN cluster in vSphere 7.0 release
If vSphere Lifecycle Manager is enabled on a cluster, vSAN File Services cannot be enabled on the same cluster and vice versa. In order to enable vSphere Lifecycle Manager on a cluster, which has VSAN File Services enabled already, first disable vSAN File Services and retry the operation. Please note that if you transition to a cluster that is managed by a single image, vSphere Lifecycle Manager cannot be disabled on that cluster.

Workaround: None.
When a hardware support manager is unavailable, vSphere High Availability (HA) functionality is impacted
If hardware support manager is unavailable for a cluster that you manage with a single image, where a firmware and drivers addon is selected and vSphere HA is enabled, the vSphere HA functionality is impacted. You may experience the following errors.
- Configuring vSphere HA on a cluster fails.
- Cannot complete the configuration of the vSphere HA agent on a host: Applying HA VIBs on the cluster encountered a failure.
- Remediating vSphere HA fails: A general system error occurred: Failed to get Effective Component map.
- Disabling vSphere HA fails: Delete Solution task failed. A general system error occurred: Cannot find hardware support package from depot or hardware support manager.
Workaround:
- If the hardware support manager is temporarily unavailable, perform the following steps.
1. Reconnect the hardware support manager to vCenter Server.
2. Select a cluster from the Hosts and Cluster menu.
3. Select the Configure tab.
4. Under Services, click vSphere Availability.
5. Re-enable vSphere HA.
- If the hardware support manager is permanently unavailable, perform the following steps.
1. Remove the hardware support manager and the hardware support package from the image specification
2. Re-enable vSphere HA.
3. Select a cluster from the Hosts and Cluster menu.
4. Select the Updates tab.
5. Click Edit .
6. Remove the firmware and drivers addon and click Save.
7. Select the Configure tab.
8. Under Services, click vSphere Availability.
9. Re-enable vSphere HA.
I/OFilter is not removed from a cluster after a remediation process in vSphere Lifecycle Manager
Removing I/OFilter from a cluster by remediating the cluster in vSphere Lifecycle Manager, fails with the following error message: iofilter XXX already exists. Тhe iofilter remains listed as installed.

Workaround:
1. Call IOFilter API UninstallIoFilter_Task from the vCenter Server managed object (IoFilterManager).
2. Remediate the cluster in vSphere Lifecycle Manager.
3. Call IOFilter API ResolveInstallationErrorsOnCluster_Task from the vCenter Server managed object (IoFilterManager) to update the database.
While remediating a vSphere HA enabled cluster in vSphere Lifecycle Manager, adding hosts causes a vSphere HA error state
Adding one or multiple ESXi hosts during a remediation process of a vSphere HA enabled cluster, results in the following error message: Applying HA VIBs on the cluster encountered a failure.

Workaround: Аfter the cluster remediation operation has finished, perform one of the following tasks.
- Right-click the failed ESXi host and select Reconfigure for vSphere HA.
- Disable and re-enable vSphere HA for the cluster.
While remediating a vSphere HA enabled cluster in vSphere Lifecycle Manager, disabling and re-enabling vSphere HA causes a vSphere HA error state
Disabling and re-enabling vSphere HA during remediation process of a cluster, may fail the remediation process due to vSphere HA health checks reporting that hosts don't have vSphere HA VIBs installed. You may see the following error message: Setting desired image spec for cluster failed.

Workaround: Аfter the cluster remediation operation has finished, disable and re-enable vSphere HA for the cluster.
Checking for recommended images in vSphere Lifecycle Manager has slow performance in large clusters
In large clusters with more than 16 hosts, the recommendation generation task could take more than an hour to finish or may appear to hang. The completion time for the recommendation task depends on the number of devices configured on each host and the number of image candidates from the depot that vSphere Lifecycle Manager needs to process before obtaining a valid image to recommend.

Workaround: None.
Checking for hardware compatibility in vSphere Lifecycle Manager has slow performance in large clusters
In large clusters with more than 16 hosts, the validation report generation task could take up to 30 minutes to finish or may appear to hang. The completion time depends on the number of devices configured on each host and the number of hosts configured in the cluster.

Workaround: None
Incomplete error messages in non-English languages are displayed, when remediating a cluster in vSphere Lifecycle Manager
You can encounter incomplete error messages for localized languages in the vCenter Server user interface. The messages are displayed, after a cluster remediation process in vSphere Lifecycle Manager fails. For example, your can observe the following error message.

The error message in English language: Virtual machine 'VMC on DELL EMC -FileServer' that runs on cluster 'Cluster-1' reported an issue which prevents entering maintenance mode: Unable to access the virtual machine configuration: Unable to access file[local-0] VMC on Dell EMC - FileServer/VMC on Dell EMC - FileServer.vmx

The error message in French language: La VM « VMC on DELL EMC -FileServer », située sur le cluster « {Cluster-1} », a signalé un problème empêchant le passage en mode de maintenance : Unable to access the virtual machine configuration: Unable to access file[local-0] VMC on Dell EMC - FileServer/VMC on Dell EMC - FileServer.vmx

Workaround: None.
Importing an image with no vendor addon, components, or firmware and drivers addon to a cluster which image contains such elements, does not remove the image elements of the existing image
Only the ESXi base image is replaced with the one from the imported image.

Workaround: After the import process finishes, edit the image, and if needed, remove the vendor addon, components, and firmware and drivers addon.
When you convert a cluster that uses baselines to a cluster that uses a single image, a warning is displayed that vSphere HA VIBs will be removed
Converting a vSphere HA enabled cluster that uses baselines to a cluster that uses a single image, may result a warning message displaying that vmware-fdm component will be removed.

Workaround: This message can be ignored. The conversion process installs the vmware-fdm component.
If vSphere Update Manager is configured to download patch updates from the Internet through a proxy server, after upgrade to vSphere 7.0 that converts Update Manager to vSphere Lifecycle Manager, downloading patches from VMware patch repository might fail
In earlier releases of vCenter Server you could configure independent proxy settings for vCenter Server and vSphere Update Manager. After an upgrade to vSphere 7.0, vSphere Update Manager service becomes part of the vSphere Lifecycle Manager service. For the vSphere Lifecycle Manager service, the proxy settings are configured from the vCenter Server appliance settings. If you had configured Update Manager to download patch updates from the Internet through a proxy server but the vCenter Server appliance had no proxy setting configuration, after a vCenter Server upgrade to version 7.0, the vSphere Lifecycle Manager fails to connect to the VMware depot and is unable to download patches or updates.

Workaround: Log in to the vCenter Server Appliance Management Interface, https://vcenter-server-appliance-FQDN-or-IP-address:5480, to configure proxy settings for the vCenter Server appliance and enable vSphere Lifecycle Manager to use proxy.

Miscellaneous Issues

When applying a host profile with version 6.5 to a ESXi host with version 7.0, the compliance check fails
Applying a host profile with version 6.5 to a ESXi host with version 7.0, results in Coredump file profile reported as not compliant with the host.

Workaround: There are two possible workarounds.
1. When you create a host profile with version 6.5, set an advanced configuration option VMkernel.Boot.autoCreateDumpFile to false on the ESXi host.
2. When you apply an existing host profile with version 6.5, add an advanced configuration option VMkernel.Boot.autoCreateDumpFile in the host profile, configure the option to a fixed policy, and set value to false.
Mellanox ConnectX-4 or ConnectX-5 native ESXi drivers might exhibit minor throughput degradation when Dynamic Receive Side Scaling (DYN_RSS) or Generic RSS (GEN_RSS) feature is turned on
Mellanox ConnectX-4 or ConnectX-5 native ESXi drivers might exhibit less than 5 percent throughput degradation when DYN_RSS and GEN_RSS feature is turned on, which is unlikely to impact normal workloads.

Workaround: You can disable DYN_RSS and GEN_RSS feature with the following commands:

# esxcli system module parameters set -m nmlx5_core -p "DYN_RSS=0 GEN_RSS=0"

# reboot
RDMA traffic between two VMs on the same host might fail in PVRDMA environment
In a vSphere 7.0 implementation of a PVRDMA environment, VMs pass traffic through the HCA for local communication if an HCA is present. However, loopback of RDMA traffic does not work on qedrntv driver. For instance, RDMA Queue Pairs running on VMs that are configured under same uplink port cannot communicate with each other.

In vSphere 6.7 and earlier, HCA was used for local RDMA traffic if SRQ was enabled. vSphere 7.0 uses HCA loopback with VMs using versions of PVRDMA that have SRQ enabled with a minimum of HW v14 using RoCE v2.

The current version of Marvell FastLinQ adapter firmware does not support loopback traffic between QPs of the same PF or port.

Workaround: Required support is being added in the out-of-box driver certified for vSphere 7.0. If you are using the inbox qedrntv driver, you must use a 3-host configuration and migrate VMs to the third host.
Unreliable Datagram traffic QP limitations in qedrntv driver
There are limitations with the Marvell FastLinQ qedrntv RoCE driver and Unreliable Datagram (UD) traffic. UD applications involving bulk traffic might fail with qedrntv driver. Additionally, UD QPs can only work with DMA Memory Regions (MR). Physical MRs or FRMR are not supported. Applications attempting to use physical MR or FRMR along with UD QP fail to pass traffic when used with qedrntv driver. Known examples of such test applications are ibv_ud_pingpong and ib_send_bw.

Standard RoCE and RoCEv2 use cases in a VMware ESXi environment such as iSER, NVMe-oF (RoCE) and PVRDMA are not impacted by this issue. Use cases for UD traffic are limited and this issue impacts a small set of applications requiring bulk UD traffic.

Marvell FastLinQ hardware does not support RDMA UD traffic offload. In order to meet the VMware PVRDMA requirement to support GSI QP, a restricted software only implementation of UD QP support was added to the qedrntv driver. The goal of the implementation is to provide support for control path GSI communication and is not a complete implementation of UD QP supporting bulk traffic and advanced features.

Since UD support is implemented in software, the implementation might not keep up with heavy traffic and packets might be dropped. This can result in failures with bulk UD traffic.

Workaround: Bulk UD QP traffic is not supported with qedrntv driver and there is no workaround at this time. VMware ESXi RDMA (RoCE) use cases like iSER, NVMe, RDMA and PVRDMA are unaffected by this issue.
Servers equipped with QLogic 578xx NIC might fail when frequently connecting or disconnecting iSCSI LUNs
If you trigger QLogic 578xx NIC iSCSI connection or disconnection frequently in a short time, the server might fail due to an issue with the qfle3 driver. This is caused by a known defect in the device's firmware.

Workaround: None.
ESXi might fail during driver unload or controller disconnect operation in Broadcom NVMe over FC environment
In Broadcom NVMe over FC environment, ESXi might fail during driver unload or controller disconnect operation and display an error message such as: @BlueScreen: #PF Exception 14 in world 2098707:vmknvmeGener IP 0x4200225021cc addr 0x19

Workaround: None.
ESXi does not display OEM firmware version number of i350/X550 NICs on some Dell servers
The inbox ixgben driver only recognizes firmware data version or signature for i350/X550 NICs. On some Dell servers the OEM firmware version number is programmed into the OEM package version region, and the inbox ixgben driver does not read this information. Only the 8-digit firmware signature is displayed.

Workaround: To display the OEM firmware version number, install async ixgben driver version 1.7.15 or later.
X710 or XL710 NICs might fail in ESXi
When you initiate certain destructive operations to X710 or XL710 NICs, such as resetting the NIC or manipulating VMKernel's internal device tree, the NIC hardware might read data from non-packet memory.

Workaround: Do not reset the NIC or manipulate vmkernel internal device state.
NVMe-oF does not guarantee persistent VMHBA name after system reboot
NVMe-oF is a new feature in vSphere 7.0. If your server has a USB storage installation that uses vmhba30+ and also has NVMe over RDMA configuration, the VMHBA name might change after a system reboot. This is because the VMHBA name assignment for NVMe over RDMA is different from PCIe devices. ESXi does not guarantee persistence.

Workaround: None.
Backup fails for vCenter database size of 300 GB or greater
If the vCenter database size is 300 GB or greater, the file-based backup will fail with a timeout. The following error message is displayed: Timeout! Failed to complete in 72000 seconds

Workaround: None.
A restore of vCenter Server 7.0 which is upgraded from vCenter Server 6.x with External Platform Services Controller to vCenter Server 7.0 might fail
When you restore a vCenter Server 7.0 which is upgraded from 6.x with External Platform Services Controller to vCenter Server 7.0, the restore might fail and display the following error: Failed to retrieve appliance storage list

Workaround: During the first stage of the restore process, increase the storage level of the vCenter Server 7.0. For example if the vCenter Server 6.7 External Platform Services Controller setup storage type is small, select storage type large for the restore process.
Enabled SSL protocols configuration parameter is not configured during a host profile remediation process
Enabled SSL protocols configuration parameter is not configured during a host profile remediation and only the system default protocol tlsv1.2 is enabled. This behavior is observed for a host profile with version 7.0 and earlier in a vCenter Server 7.0 environment.

Workaround: To enable TLSV 1.0 or TLSV 1.1 SSL protocols for SFCB, log in to an ESXi host by using SSH, and run the following ESXCLI command: esxcli system wbem -P <protocol_name>
Unable to configure Lockdown Mode settings by using Host Profiles
Lockdown Мode cannot be configured by using a security host profile and cannot be applied to multiple ESXi hosts at once. You must manually configure each host.

Workaround: In vCenter Server 7.0, you can configure Lockdown Mode and manage Lockdown Mode exception user list by using a security host profile.
When a host profile is applied to a cluster, Enhanced vMotion Compatibility (EVC) settings are missing from the ESXi hosts
Some settings in the VMware config file /etc/vmware/config are not managed by Host Profiles and are blocked, when the config file is modified. As a result, when the host profile is applied to a cluster, the EVC settings are lost, which causes loss of EVC functionalities. For example, unmasked CPUs can be exposed to workloads.

Workaround: Reconfigure the relevant EVC baseline on cluster to recover the EVC settings.
Using a host profile that defines a core dump partition in vCenter Server 7.0 results in an error
In vCenter Server 7.0, configuring and managing a core dump partition in a host profile is not available. Attempting to apply a host profile that defines a core dump partition, results in the following error: No valid coredump partition found.

Workaround: None. In vCenter Server 7.0., Host Profiles supports only file-based core dumps.
If you run the ESXCLI command to unload the firewall module, the hostd service fails and ESXi hosts lose connectivity
If you automate the firewall configuration in an environment that includes multiple ESXi hosts, and run the ESXCLI command esxcli network firewall unload that destroys filters and unloads the firewall module, the hostd service fails and ESXi hosts lose connectivity.

Workaround: Unloading the firewall module is not recommended at any time. If you must unload the firewall module, use the following steps:
1. Stop the hostd service by using the command:
  /etc/init.d/hostd stop.
2. Unload the firewall module by using the command:
  esxcli network firewall unload.
3. Perform the required operations.
4. Load the firewall module by using the command:
  esxcli network firewall load.
5. Start the hostd service by using the command:
  /etc/init.d/hostd start.
vSphere Storage vMotion operations might fail in a vSAN environment due to an unauthenticated session of the Network File Copy (NFC) manager
Migrations to a vSAN datastore by using vSphere Storage vMotion of virtual machines that have at least one snapshot and more than one virtual disk with different storage policy might fail. The issue occurs due to an unauthenticated session of the NFC manager because the Simple Object Access Protocol (SOAP) body exceeds the allowed size.

Workaround: First migrate the VM home namespace and just one of the virtual disks. After the operation completes, perform a disk only migration of the remaining 2 disks.
Changes in the properties and attributes of the devices and storage on an ESXi host might not persist after a reboot
If the device discovery routine during a reboot of an ESXi host times out, the jumpstart plug-in might not receive all configuration changes of the devices and storage from all the registered devices on the host. As a result, the process might restore the properties of some devices or storage to the default values after the reboot.

Workaround: Manually restore the changes in the properties of the affected device or storage.
If you use a beta build of ESXi 7.0, ESXi hosts might fail with a purple diagnostic screen during some lifecycle operations
If you use a beta build of ESXi 7.0, ESXi hosts might fail with a purple diagnostic screen during some lifecycle operations such as unloading a driver or switching between ENS mode and native driver mode. For example, if you try to change the ENS mode, in the backtrace you see an error message similar to: case ENS::INTERRUPT::NoVM_DeviceStateWithGracefulRemove hit BlueScreen: ASSERT bora/vmkernel/main/dlmalloc.c:2733 This issue is specific for beta builds and does not affect release builds such as ESXi 7.0.

Workaround: Update to ESXi 7.0 GA.
You cannot create snapshots of virtual machines due to an error that a digest operation has failed
A rare race condition when an All-Paths-Down (APD) state occurs during the update of the Content Based Read Cache (CBRC) digest file might cause inconsistencies in the digest file. As a result, you cannot create virtual machine snapshots. You see an error such as An error occurred while saving the snapshot: A digest operation has failed in the backtrace.

Workaround: Power cycle the virtual machines to trigger a recompute of the CBRC hashes and clear the inconsistencies in the digest file.
If you upgrade your ESXi hosts to version 7.0 Update 3, but your vCenter Server is of an earlier version, Trusted Platform Module (TPM) attestation of the ESXi hosts fails
If you upgrade your ESXi hosts to version 7.0 Update 3, but your vCenter Server is of an earlier version, and you enable TPM, ESXi hosts fail to pass attestation. In the vSphere Client, you see the warning Host TPM attestation alarm. The Elliptic Curve Digital Signature Algorithm (ECDSA) introduced with ESXi 7.0 Update 3 causes the issue when vCenter Server is not of version 7.0 Update 3.

Workaround: Upgrade your vCenter Server to 7.0 Update 3 or acknowledge the alarm.
You see warnings in the boot loader screen about TPM asset tags
If a TPM-enabled ESXi host has no asset tag set on, you might see idle warning messages in the boot loader screen such as:
Failed to determine TPM asset tag size: Buffer too small Failed to measure asset tag into TPM: Buffer too small

Workaround: Ignore the warnings or set an asset tag by using the command $ esxcli hardware tpm tag set -d
The sensord daemon fails to report ESXi host hardware status
A logic error in the IPMI SDR validation might cause sensord to fail to identify a source for power supply information. As a result, when you run the command vsish -e get /power/hostStats, you might not see any output.

Workaround: None
If an ESXi host fails with a purple diagnostic screen, the netdump service might stop working
In rare cases, if an ESXi host fails with a purple diagnostic screen, the netdump service might fail with an error such as NetDump FAILED: Couldn't attach to dump server at IP x.x.x.x.

Workaround: Configure the VMkernel core dump to use local storage.
You see frequent VMware Fault Domain Manager (FDM) core dumps on multiple ESXi hosts
In some environments, the number of datastores might exceed the FDM file descriptor limit. As a result, you see frequent core dumps on multiple ESXi hosts indicating FDM failure.

Workaround: Increase the FDM file descriptor limit to 2048. You can use the setting das.config.fdm.maxFds from the vSphere HA advanced options in the vSphere Client. For more information, see Set Advanced Options.
Virtual machines on a vSAN cluster with enabled NSX-T and a converged vSphere Distributed Switch (CVDS) in a VLAN transport zone cannot power on after a power off
If a secondary site is 95% disk full and VMs are powered off before simulating a secondary site failure, during recovery some of the virtual machines fail to power on. As a result, virtual machines become unresponsive. The issue occurs regardless if site recovery includes adding disks or ESXi hosts or CPU capacity.

Workaround: Select the virtual machines that do not power on and change the network to VM Network from Edit Settings on the VM context menu.
ESXI hosts might fail with a purple diagnostic screen with an error Assert at bora/modules/vmkernel/vmfs/fs6Journal.c:835
In rare cases, for example when running SESparse tests, the number of locks per transaction in a VMFS datastore might exceed the limit of 50 for the J6_MAX_TXN_LOCKACTIONS parameter. As a result, ESXi hosts might fail with a purple diagnostic screen with an error Assert at bora/modules/vmkernel/vmfs/fs6Journal.c:835.

Workaround: None
If you modify the netq_rss_ens parameter of the nmlx5_core driver, ESXi hosts might fail with a purple diagnostic screen
If you try to enable the netq_rss_ens parameter when you configure an enhanced data path on the nmlx5_core driver, ESXi hosts might fail with a purple diagnostic screen. The netq_rss_ens parameter, which enables NetQ RSS, is disabled by default with a value of 0.

Workaround: Keep the default value for the netq_rss_ens module parameter in the nmlx5_core driver.
ESXi might terminate I/O to NVMeOF devices due to errors on all active paths
Occasionally, all active paths to NVMeOF device register I/O errors due to link issues or controller state. If the status of one of the paths changes to Dead, the High Performance Plug-in (HPP) might not select another path if it shows high volume of errors. As a result, the I/O fails.

Workaround: Disable the configuration option /Misc/HppManageDegradedPaths to unblock the I/O.
Upgrade to ESXi 7.0 Update 3 might fail due to changed name of the inbox i40enu network driver
Starting with vSphere 7.0 Update 3, the inbox i40enu network driver for ESXi changes name back to i40en. The i40en driver was renamed to i40enu in vSphere 7.0 Update 2, but the name change impacted some upgrade paths. For example, rollup upgrade of ESXi hosts that you manage with baselines and baseline groups from 7.0 Update 2 or 7.0 Update 2a to 7.0 Update 3 fails. In most cases, the i40enu driver upgrades to ESXi 7.0 Update 3 without any additional steps. However, if the driver upgrade fails, you cannot update ESXi hosts that you manage with baselines and baseline groups. You also cannot use host seeding or a vSphere Lifecycle Manager single image to manage the ESXi hosts. If you have already made changes related to the i40enu driver and devices in your system, before upgrading to ESXi 7.0 Update 3, you must uninstall the i40enu VIB or Component on ESXi, or first upgrade ESXi to ESXi 7.0 Update 2c.

Workaround: For more information, see VMware knowledge base article 85982.
SSH access fails after you upgrade to ESXi 7.0 Update 3d
After you upgrade to ESXi 7.0 Update 3d, SSH access might fail in certain conditions due to an update of OpenSSH to version 8.8.

Workaround: For more information, see VMware knowledge base article 88055.
USB device passthrough from ESXi hosts to virtual machines might fail
A USB modem device might simultaneously claim multiple interfaces by the VMkernel and block the device passthrough to VMs.
Workaround: You must apply the USB.quirks advanced configuration on the ESXi host to ignore the NET interface from VMkernel and allow the USB modem to passthrough to VMs. You can apply the configuration in 3 alternative ways:
1. Access the ESXi shell and run the following command: esxcli system settings advanced set -o /USB/quirks -s 0xvvvv:0xpppp:0:0xffff:UQ_NET_IGNORE | |- Device Product ID |------- Device Vendor ID
  For example, for the Gemalto M2M GmbH Zoom 4625 Modem(vid:pid/1e2d:005b), you can have the command
  esxcli system settings advanced set -o /USB/quirks -s 0x1e2d:0x005b:0:0xffff:UQ_NET_IGNORE
  Reboot the ESXi host.
2. Set the advanced configuration from the vSphere Client or the vSphere Web Client and reboot the ESXi host.
3. Use a Host Profile to apply the advanced configuration.
For more information on the steps, see VMware knowledge base article 80416.
HTTP requests from certain libraries to vSphere might be rejected
The HTTP reverse proxy in vSphere 7.0 enforces stricter standard compliance than in previous releases. This might expose pre-existing problems in some third-party libraries used by applications for SOAP calls to vSphere.

If you develop vSphere applications that use such libraries or include applications that rely on such libraries in your vSphere stack, you might experience connection issues when these libraries send HTTP requests to VMOMI. For example, HTTP requests issued from vijava libraries can take the following form:
```
POST /sdk HTTP/1.1
SOAPAction
Content-Type: text/xml; charset=utf-8
User-Agent: Java/1.8.0_221
```
The syntax in this example violates an HTTP protocol header field requirement that mandates a colon after SOAPAction. Hence, the request is rejected in flight.

Workaround: Developers leveraging noncompliant libraries in their applications can consider using a library that follows HTTP standards instead. For example, developers who use the vijava library can consider using the latest version of the yavijava library instead.
You might see a dump file when using Broadcom driver lsi_msgpt3, lsi_msgpt35 and lsi_mr3
When using the lsi_msgpt3, lsi_msgpt35 and lsi_mr3 controllers, there is a potential risk to see dump file lsuv2-lsi-drivers-plugin-util-zdump. There is an issue when exiting the storelib used in this plugin utility. There is no impact on ESXi operations, you can ignore the dump file.

Workaround: You can safely ignore this message. You can remove the lsuv2-lsi-drivers-plugin with the following command:

esxcli software vib remove -n lsuv2-lsiv2-drivers-plugin
You might see reboot is not required after configuring SR-IOV of a PCI device in vCenter, but device configurations made by third party extensions might be lost and require reboot to be re-applied.
In ESXi 7.0, SR-IOV configuration is applied without a reboot and the device driver is reloaded. ESXi hosts might have third party extensions perform device configurations that need to run after the device driver is loaded during boot. A reboot is required for those third party extensions to re-apply the device configuration.

Workaround: You must reboot after configuring SR-IOV to apply third party device configurations.

vSphere Client Issues

BIOS manufacturer displays as "--" in the vSphere Client
In the vSphere Client, when you select an ESXi host and navigate to Configure > Hardware > Firmware, you see -- instead of the BIOS manufacturer name.

Workaround: For more information, see VMware knowledge base article 88937.

To collapse the list of previous known issues, click here.