vCenter Server 7.0 Update 2 | 09 MAR 2021 | ISO Build 17694817

Check for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

What's New

  • vSphere Fault Tolerance supports vSphere Virtual Machine Encryption: Starting with vSphere 7.0 Update 2, vSphere FT supports VM encryption. In-guest and array-based encryption do not depend on or interfere with VM encryption, but having multiple encryption layers uses additional compute resources, which might impact virtual machine performance. The impact varies with the hardware as well as the amount and type of I/O, therefore VMware cannot quantify it, but overall performance impact is negligible for most workloads. The effectiveness and compatibility of back-end storage features such as deduplication, compression, and replication might also be affected by VM encryption and you should take into consideration storage tradeoffs.
     
  • In-product feedback: vCenter Server 7.0 Update 2 introduces an in-product feedback option in the vSphere Client to enable you provide real-time rating and comments on key VMware vSphere workflows and features.
     
  • New CLI deployment of vCenter Server: With vCenter Server 7.0 Update 2, by using the vCSA_with_cluster_on_ESXi.json template, you can bootstrap a single node vSAN cluster and enable vSphere Lifecycle Manager cluster image management when deploying vCenter Server on an ESXi host. For more information, see JSON Templates for CLI Deployment of the vCenter Server Appliance.
     
  • Parallel remediation on hosts in clusters that you manage with vSphere Lifecycle Manager baselines: With vCenter Server 7.0 Update 2, to reduce the time needed for patching or upgrading the ESXi hosts in your environment, you can enable vSphere Lifecycle Manager to remediate in parallel the hosts within a cluster by using baselines. You can remediate in parallel only ESXi hosts that are already in maintenance mode. You cannot remediate in parallel hosts in a vSAN cluster. For more information, see Remediating ESXi Hosts Against vSphere Lifecycle Manager Baselines and Baseline Groups.
     
  • Improved vSphere Lifecycle Manager error messages: vCenter Server 7.0 Update 2 introduces improved error messages that help you better understand the root cause for issues such as skipped nodes during upgrades and updates, or hardware compatibility, or ESXi installation and update as part of the Lifecycle Manager operations. 
     
  • Scaled VMware vSphere vMotion operations: Starting with vCenter Server 7.0 Update 2, vSphere vMotion automatically adapts to make full use of high speed networks such as 25 GbE, 40 GbE and 100 GbE with a single vMotion VMkernel interface, up from maximum 10 GbE in previous releases. For more information, see Networking Best Practices for vSphere vMotion and the vMotion Improvements in vSphere 7 blog.
     
  • Increased scalability with vSphere Lifecycle Manager: With vCenter Server 7.0 Update 2, scalability for vSphere Lifecycle Manager operations with ESXi hosts and clusters is up to 400 supported ESXi hosts managed by a vSphere Lifecycle Manager Image from 280.
     
  • Upgrade and migration from NSX-T-managed Virtual Distributed Switches to vSphere Distributed Switches: By using vSphere Lifecycle Manager baselines, you can upgrade your system to vSphere 7.0 Update 2 and simultaneously migrate from NSX-T-managed Virtual Distributed Switches to vSphere Distributed Switches for clusters enabled with VMware NSX-T Data Center. For more information, see Using vSphere Lifecycle Manager to Migrate an NSX-T Virtual Distributed Switch to a vSphere Distributed Switch.
     
  • Create new clusters by importing the desired software specification from a single reference host: With vCenter Server 7.0 Update 2, you can save time and effort to ensure that you have all necessary components and images available in the vSphere Lifecycle Manager depot before creating a new cluster by importing the desired software specification from a single reference host. You do not compose or validate a new image, because during image import, vSphere Lifecycle Manager extracts in the vCenter Server instance where you create the cluster the software specification from the reference host, as well as the software depot associated with the image. You can import an image from an ESXi host that is in the same or a different vCenter Server instance. You can also import an image from an ESXi host that is not managed by vCenter Server, move the reference host to the cluster or use the image on the host and seed it to the new cluster without moving the host. For more information, see Create a Cluster That Uses a Single Image by Importing an Image from a Host.
     
  • Enable vSphere with Tanzu on a cluster managed by the vSphere Lifecycle Manager: As a vSphere administrator, you can enable vSphere with Tanzu on vSphere clusters that you manage with a single VMware vSphere Lifecycle Manager image. You can then use the Supervisor Cluster while it is managed by vSphere Lifecycle Manager. For more information, see Working with vSphere Lifecycle Manager
     
  • vSphere Lifecycle Manager fast upgrades: Starting with vSphere 7.0 Update 2, you can configure vSphere Lifecycle Manager to suspend virtual machines to memory instead of migrating them, powering them off, or suspending them to disk. For more information, see Configuring vSphere Lifecycle Manager for Fast Upgrades.
     
  • Confidential vSphere Pods on a Supervisor Cluster in vSphere with Tanzu: Starting with vSphere 7.0 Update 2, you can run confidential vSphere Pods, keeping guest OS memory encrypted and protected against access from the hypervisor, on a Supervisor Cluster in vSphere with Tanzu. You can configure confidential vSphere Pods by adding Secure Encrypted Virtualization-Encrypted State (SEV-ES) as an extra security enhancement. For more information, see Deploy a Confidential vSphere Pod.
     
  • For VMware vSphere with Tanzu updates, see VMware vSphere with Tanzu Release Notes.

Earlier Releases of vCenter Server 7.0

New features, resolved, and known issues of vCenter Server are described in the release notes for each release. Release notes for earlier releases of vCenter Server 7.0 are:

For internationalization, compatibility, installation, upgrade, open source components and product support notices, see the VMware vSphere 7.0 Release Notes.

Patches Contained in This Release

This release of vCenter Server 7.0 Update 2 delivers the following patch. See the VMware Patch Download Center for more information on downloading patches.

Patch for VMware vCenter Server 7.0 Update 2

Product Patch for vCenter Server containing VMware software fixes, security fixes, and third-party product fixes.

This patch is applicable to vCenter Server.

Download Filename VMware-vCenter-Server-Appliance-7.0.2.00000-17694817-patch-FP.iso
Build 17694817
Download Size 5572.6 MB
md5sum 60fcfd67ed2475e3520966f443f92854
sha1checksum 85d7e0dc2162cf15a62ce8b92aded955bea3060c

Download and Installation

You can download this patch by going to the VMware Patch Download Center and selecting VC from the Select a Product drop-down menu.

  1. Attach the VMware-vCenter-Server-Appliance-7.0.2.00000-17694817-patch-FP.iso file to the vCenter Server CD or DVD drive.
  2. Log in to the appliance shell as a user with super administrative privileges (for example, root) and run the following commands:
    • To stage the ISO:
      software-packages stage --iso
    • To see the staged content:
      software-packages list --staged
    • To install the staged rpms:
      software-packages install --staged

For more information on using the vCenter Server shells, see VMware knowledge base article 2100508.

For more information on patching vCenter Server, see Patching the vCenter Server Appliance.

For more information on staging patches, see Stage Patches to vCenter Server Appliance.

For more information on installing patches, see Install vCenter Server Appliance Patches.

For more information on patching using the Appliance Management Interface, see Patching the vCenter Server by Using the Appliance Management Interface.

Product Support Notices

  • Deprecation of SSPI, CAC and RSA: In a future major vSphere release, VMware plans to discontinue support for Windows Session Authentication (SSPI) used as part of the Enhanced Authentication Plug-in, Smart Card support, and RSA SecurID for vCenter Server. In place of SSPI, Smart Card, or RSA SecurID, users and administrators can configure and use Identity Federation with a supported Identity Provider to sign in to their vCenter Server system.
     
  • Deprecation of Sphere 6.0 to 6.7 REST APIs: VMware deprecates REST APIs from vSphere 6.0 to 6.7 that were served under /rest and are referred to as old REST APIs. With vSphere 7.0 Update 2, REST APIs are served under /api and referred to as new REST APIs. For more information, see the bog vSphere 7 Update 2 - REST API Modernization and vSphere knowledge base article 83022.
     
  • Removal of SHA1 from Secure Shell (SSH): In vSphere 7.0 Update 2, the SHA-1 cryptographic hashing algorithm is removed from the SSHD default configuration.
     
  • Intent to deprecate SHA-1: The SHA-1 cryptographic hashing algorithm will be deprecated in a future release of vSphere. SHA-1 and the already-deprecated MD5 have known weaknesses, and practical attacks against them have been demonstrated.
     
  • Support for Federal Information Processing Standards (FIPS): FIPS will be added to and enabled by default in vCenter Server in a future release of vSphere. FIPS support is also available but not enabled by default in vCenter Server 7.0 Update 2, and can be enabled by following the steps described in vCenter Server and FIPS.
     
  • Client plug-ins compliance with FIPS: In a future vSphere release, all client plug-ins for vSphere must become compliant with the Federal Information Processing Standards (FIPS). When FIPS is enabled by default in the vCenter Server, you cannot use local plug-ins that do not conform to the standards. For more information, see Preparing Local Plug-ins for FIPS Compliance
     
  • PowerCLI support for updating vSphere Native Key Providers: PowerCLI support for updating vSphere Native Key Providers will be added in an upcoming PowerCLI release. For more information, see VMware knowledge base article 82732.
  • Site Recovery Manager 8.4 and vSphere Replication 8.4 support: If virtual machine encryption is switched on, Site Recovery Manager 8.4 and vSphere Replication 8.4 do not support vSphere 7.0 Update 2.

Resolved Issues

The resolved issues are grouped as follows.

Networking Issues
  • NEW: Some VMs that are migrated by using vSphere vMotion might lose network connectivity during the upgrade of NSX Manager nodes

    During NSX UA nodes upgrading, you might find some VMs are migrated by DRS and lose network connectivity after the migration.

    This issue is resolved in this release.

Server Configuration Issues
  • NEW: If the identity source is configured as Integrated Windows Authentication (IWA), a vCenter Server system with frequent Active Directory authentications might become unresponsive

    If the identity source is configured as IWA, frequent lookups during Active Directory authentications might cause a deadlock. As a result, a vCenter Server system with frequent Active Directory authentications might become unresponsive.

    This issue is resolved in this release.

Installation, Upgrade, and Migration Issues
  • Upgrading vCenter Server using the CLI incorrectly preserves the Transport Security Layer (TLS) configuration for the vSphere Authentication Proxy service

    If the vSphere Authentication Proxy service (vmcam) is configured to use a particular TLS protocol other than the default TLS 1.2 protocol, this configuration is preserved during the CLI upgrade process. By default, vSphere supports the TLS 1.2 encryption protocol. If you must use the TLS 1.0 and TLS 1.1 protocols to support products or services that do not support TLS 1.2, use the TLS Configurator Utility to enable or disable different TLS protocol versions.

    This issue is resolved in this release.

Virtual Machines Management Issues
  • Importing or deploying local OVF files containing non-ASCII characters in their name might fail with an error

    When you import local .ovf files containing non-ASCII characters in their name, you might receive 400 Bad Request Error. When you use such .ovf files to deploy a virtual machine in the vSphere Client, the deployment process stops at 0%. As a result, you might receive 400 Bad Request Error or 500 Internal Server Error.

    This issue is resolved in this release.

Miscellaneous Issues
  • The Actions drop-down menu does not contain any items when your browser is set to language different from English

    When your browser is set to language different from English and you click the Switch to New View button from the virtual machine Summary tab of the vSphere Client inventory, the Actions drop-down menu in the Guest OS panel does not contain any items.

    This issue is resolved in this release.

Security Issues
  • Update to the Python library

    The Python library is updated to version 3.8.3.

Known Issues

The known issues are grouped as follows.

Backup and Restore Issues
  • NEW: Stage 2 of the vCenter Server restore process remains at around 90% in the interface

    If you use the vCenter Server Interface to perform a file-based backup of your vCenter Server system, stage 2 of the restore process might never complete. After you log in to the vCenter Server for stage 2 of the restore process, in the Restore – Stage 2: Restore Progress window, you see an error Unable to authenticate user and post restore operations at around 90%. The restore completes, but the interface does not correctly report the progress. You can see the completed restore operation by using the Virtual Appliance Management Infrastructure.

    Workaround: None

Security Issues
  • Remote HTTPS servers might not send the HTTP Strict-Transport-Security response header (HSTS) on ports 5480 and 5580

    In some environments, remote HTTPS servers running on ports 5480 and 5580 might not return HSTS.

    Workaround: None

  • If you do not add the AD FS root certificate to the Trusted Root Certificates Store, AD FS logins fail after updates to vCenter Server 7.0 Update 2

    If you imported a self-signed root CA certificate to the JRE truststore in vSphere 7.0, but did not register the certificate to the Trusted Root Certificates Store (also called the VMware Endpoint Certificate Store, or VECS), AD FS logins fail after updates to vCenter Server 7.0 Update 2.

    Workaround: Follow the steps described in Use the Trusted Root Certificates Store Instead of the JRE truststore. For more information, see VMware knowledge base article 81807.

Networking Issues
  • Large vSphere environments might take long to sync on cloud with VMware NSX Advanced Load Balancer Controller

    vSphere environments with more than 2,000 ESXi hosts and 45,000 virtual machines might take as much as 2 hours to sync on cloud by using an NSX Advanced Load Balancer Controller.

    Workaround: None

Storage Issues
  • You cannot register Dell EMC Unity 500 or 600 vSphere API for Storage Awareness (VASA) provider to a vCenter Server system

    Attempts to register a Dell EMC Unity 500 or 600 VASA provider to a vCenter Server system from Configure > Security > Storage Providers persistently fail with an error. In the vSphere Client, you see the message A problem was encountered while provisioning a VMware Certificate Authority (VMCA) signed certificate for the provider. The issue occurs in both fresh installations and upgraded environments.

    Workaround:

    1. If the Unity 500 or 600 VASA provider is already registered with a version of vCenter Server earlier than 7.0 Update 2 and registration with vCenter Server 7.0 Update 2 fails:
      • List all the certificates. For example:
        # uemcli -d <unity500 or 600 host address> -u <username> -p <password> /sys/cert -service VASA_HTTP show -detail
        1: ID = vasa_http-vc1-servercert-1
        2: ID = vasa_http-vc1-cacert-1
        3: ID = vasa_http-vc1-cacert-2
      • Remove the first CA root certificate by using the command:
        #uemcli -d <unity500 or 600 host address> -u <username? -p <password> /sys/cert -id vasa_http-vc1-cacert-1 delete
      • Register the Dell EMC Unity 500 or 600 VASA provider.
         
    2. If you register Unity 500 or 600 VASA provider for the first time with vCenter Server 7.0 Update 2 and the registration fails:
      • Retry the registration of the EMC unity 500 or 600 VASA provider.
      • If the operation fails, complete the following steps on the arrays:
        • List all the certificates. For example:
          # uemcli -d <unity500 or 600 host address> -u <username> -p <password> /sys/cert -service VASA_HTTP show -detail
          1: ID = vasa_http-vc1-servercert-1
          2: ID = vasa_http-vc1-cacert-1
          3: ID = vasa_http-vc1-cacert-2
        • Remove the first CA root certificate by using the command:
          # uemcli -d <unity500 or 600 host address> -u <username? -p <password> /sys/cert -id vasa_http-vc1-cacert-1 delete
      • Register the Dell EMC Unity 500 or 600 VASA provider.

    For more information, see Register Storage Providers.

Installation, Upgrade and Migration Issues
  • Patching to vCenter Server 7.0 Update 1 and later from earlier versions of vCenter Server 7.x is blocked when vCenter Server High Availability is enabled

    Patching to vCenter Server 7.0 Update 1 and later from earlier versions of vCenter Server 7.x is blocked when vCenter Server High Availability is active.

    Workaround: To patch your system to vCenter Server 7.0 Update 1 and later from earlier versions of vCenter Server 7.x, you must remove vCenter Server High Availability and delete the passive and witness nodes. After the upgrade, you must re-create your vCenter Server High Availability clusters.

  • Pre-upgrade check fails with Error in method invocation [Errno 1] Unknown host

    When you attempt to upgrade your IPv6 environment to vCenter Server 7.0 Update 2 from vCenter Server 6.5.x or vCenter Server 6.7.x by using the GUI installer, the pre-check might fail with a message such as Error in method invocation [Errno 1] Unknown host.

    Workaround: Make sure that the source vCenter Server and ESXi can successfully run a nslookup (reverse IP address lookup) to verify that the appropriate host name is associated to the provided IP address.

  • The netdump service does not listen to port 6500 after an update to vCenter Server 7.0 Update 2 from an earlier 7.x release

    After you update your environment to vCenter Server 7.0 Update 2 from an earlier 7.x release, the netdump service stops listening to port 6500 and you see no ESXi dump data.

    Workaround: Open the /etc/sysconfig/netdumper file and modify the NETDUMPER_PORT property to NETDUMPER_PORT=6500. Restart the netdump service by using the command service-control --restart netdumper.

Virtual Machines Management Issues
  • You cannot create a vSAN or vCenter Lifecycle Manager cluster during vCenter Server deployment in a pure IPv6 environment

    vSAN or vCenter Lifecycle Manager cluster configuration by using an IP fails during vCenter Server deployment in a pure IPv6 environment.

    Workaround: Use FQDN instead of an IP to configure a vSAN or a vCenter Lifecycle Manager cluster. Alternatively, you can use an IPv4 infrastructure.
     

Miscellaneous Issues
  • Concurrent Cloud Native Storage (CNS) API calls might cause an error in the (vim.vslm.vcenter.VStorageObjectManager) update metadata task

    In rare cases, the CnsAttachVolume(attach) and CnsUpdateVolumeMetadata(updateVolumeMetadata) methods of the API for managing the lifecycle of container volumes, (vim.cns.VolumeManager), might race on the same volume. As a result, the update metadata task of the (vim.vslm.vcenter.VStorageObjectManager) method, updateVstorageObjectMetadataEx, might fail with an error in the vSphere Client. However, you can ignore the error, because the Kubernetes Container Storage Interface (CSI) driver retries the operation.

    Workaround: None 

  • If you enable Federal Information Processing Standards (FIPS) on a vCenter Server with vCenter Server High Availability configured, the FIPS flag does not persist after a failover

    If you enable FIPS on a vCenter Server after upgrading to vCenter Server 7.0 Update 2, and vCenter Server High Availability is configured, the FIPS flag does not persist after a failover, because the flag is not automatically replicated from active to passive nodes.

    Workaround: Run the Enable Global FIPS mode for each of the active and passive nodes. For more information, see Update Security Global FIPS.

  • Cleanup after testing a recovery plan by using VMware Site Recovery Manager 8.3.1.1 fails with a remote server connection error

    If you test a recovery plan on multiple protection groups and recovery points by using Site Recovery Manager 8.3.1.1 in a vCenter Server 7.0 Update 2 environment, the cleanup operation after the test might fail with a remote server connection error. In the backtrace, you see an error such as The connection to the remote server is down. Operation timed out: 300 seconds.

    Workaround: Upgrade to Site Recovery Manager 8.4.

  • Adding an Active Directory Federation Services (AD FS) as an external identity provider stops with a HTTP response code: 503 error

    When you click Finish in the workflow for adding an Active Directory Federation Services (AD FS) as an external identity provider in a vCenter Server system, the operation might stop with a HTTP response code: 503 error in the vSphere Client.

    Workaround: Click Finish one more time. The operation completes successfully.

vCenter Server and vSphere Client Issues
  • NEW: You cannot refresh storage provider certificates from the vSphere Client

    In the vSphere Client, when you navigate to Configure > Storage Providers, you see the option Refresh certificate dimmed.

    Workaround: Unregister any storage provider with expiring certificate from your vCenter Server system and then register the provider back to renew the certificate. For more information refer to Manage Storage Providers.

  • You do not see progress on vSphere Lifecycle Manager and vSphere with VMware Tanzu tasks in the vSphere Client

    In a mixed version vCenter Server 7.0 Update 1 and Update 2 transitional environment with Enhanced Linked Mode enabled, tasks such as image, host or hardware compliance checks that you trigger from the vSphere Client might show no progress, while the tasks actually run.

    Workaround: Use the respective version of the vSphere Client to manage your environment. For example, use vSphere Client 7.0 Update 1 to manage your vCenter Server 7.0 Update 1 inventory and vSphere Client 7.0 Update 2 to manage your vCenter Server 7.0 Update 2 inventory.

Known Issues from Prior Releases

To view a list of previous known issues, click here.

check-circle-line exclamation-circle-line close-line
Scroll to top icon