[Guide] VMware vCenter Troubleshooting Guide
Overview
vCenter Troubleshooting Guide
The following Troubleshooting Guide applies to vCenter 8 and above.
Caution!
Create a VM Snapshot of your vCenter before proceeding with any step!
General Troubleshooting
Log files can be accesses trough ssh or bash. SSH login works with the root user or your SSO Admi User (commonly [email protected])
SSH not working
If SSH does not work (eg. due to a networki misconfiguration) you can access the vCenter via bash (VM Remote Console).
At the VM Remote Console press F2 to access your vCenter or press ALT + F1 to access the bash shell.
Services
If you have trouble starting services and the GUI is not working, use service-control with ssh to get all the running services:
1service-control --status
To stop all services
1service-control --stop --all
To start all services:
1service-control --start --all
Log Files
All vCenter Log Files are stored under:
1/var/log/vmware/
2/var/log/vmware/<service_name>
vCenter logs are grouped by component and purpose:
- vpxd.log - Main vCenter Server log for client connections, tasks, and host communication5
- vpxd-profiler.log - Profiled metrics for vCenter operations
- eam.log - ESX Agent Manager logs
- sms.log - Storage Monitoring Service logs
- ls.log - Licensing Services logs
Some key log files and directories include:
- /var/log/vmware/vpxd/vpxd.log - The main vCenter Server log
- /var/log/vmware/vsphere-ui/ - vSphere UI logs
- /var/log/vmware/eam/eam.log - ESX Agent Manager log
- /var/log/vmware/eam/applmgmt.log - Appliance Management Service
Additional Important Logs
- /var/log/vmware/vpostgres/ - VMware Postgres service logs
- /var/log/vmware/vcha/ - vCenter High Availability service logs
- /var/log/vmware/rhttpproxy/ - VMware HTTP Reverse Proxy service logs
- /var/log/vmware/content-library/ - VMware Content Library Service logs
- /var/log/vmware/applmgmt/backup.log - VCSA Backup Log
GUI
vCenter Server logs can be viewed from:
- Home > Administration > System Logs.
Ways to access your vcenter
GUI (VAMI)
'https:// vcenterfqdn :5480'
SSH
Login via SSH (root user or SSO User)
DCUI
Open the VM Remote Console of the vCenter VM (via ESXi) and Press F2. After a successfull login you will be able to edit the config via DCUI.
DCUI can also be opened from ssh.
Bash shell
To Access the Bash Shell: Open the VM Remote Console of the vCenter VM (via ESXi) and Press ALT+F1.
If you need to enable bash shell, do the following first:
- Open the VM Remote Console of the vCenter VM (via ESXi) and Press F2. After a successfull login go to troubleshooting options and enable bash or ssh
Bash shell (Emergency Boot)
Look at here
Networking
Manual Network Config
Run the following command to change Networking Settings from BASH
1/opt/vmware/share/vami/vami_config_net
Alternatively edit the configuration files directly, to change network settings like IP address and netmask
1/etc/systemd/network/10-eth0.network
Example:
1[Match]
2Name=eth0
3
4[Network]
5Address=192.168.1.100/24
6Gateway=192.168.1.1
7DNS=8.8.8.8
8DNS=8.8.4.4
9
10[Route]
11Destination=10.0.0.0/24
12Gateway=192.168.1.254
to modify routing information
1/etc/sysconfig/network/routes
Example
1default 192.168.1.1
210.0.0.0/24 192.168.1.254
3172.16.0.0/16 192.168.1.253
Each line follows this format:
'
or use the builtin DCUI from the bash shell
1dcui
DNS
Manual DNS Config
1vi etc/systemd/resolved.conf
1[Resolve]
2DNS=10.10.10.125
3FallbackDNS=10.10.10.126
4Domains=yourdomain.local
or use the builtin DCUI from the bash shell
1dcui
Flush DNS
1
2systemctl restart systemd–resolved.service
3
4systemctl restart dnsmasq
HTTP Proxy
Log File: /var/log/vmware/rhttpproxy/
To set a HTTP Proxy run:
1/opt/vmware/share/vami/vami_config_net
It is also possible to edit the file directly:
1vi /etc/sysconfig/proxy
Example:
1PROXY_ENABLED="yes"
2
3HTTP_PROXY="http://proxy.example.com:8080"
4HTTPS_PROXY="http://proxy.example.com:8080"
5
6NO_PROXY="localhost, 127.0.0.1, .*.example.com, 192.168.0.0/24, 192.168.1.55"
Certificate Management
Log File: /var/log/vmware/vmcad/certificate-manager.log
Run this command to check certificate expiration dates:
1for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do
2 echo "[*] Store :" $store
3 /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After"
4done
Renew all vCenter Machine Certificates
Generally this should be done of all VMCA Certificates are self-signed and are expired. Later you can change the certificates to named ones from your Enterprise PKI.
Run vCenter Certificate Manager:
1/usr/lib/vmware-vmca/bin/certificate-manager
Choose your desired option. Most commonly option 4 or 8 are used.
This step automatically restarts the vCenter Server services. Additionally, the Name, Hostname, and VMCA values should match the Primary Network Identifier (PNID). The PNID should always match the Hostname.
To get the vCenter PNID:
1/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
VMware Security Token Service (STS) certificate
https://knowledge.broadcom.com/external/article?legacyId=79248
Fix trust issues - lsdoctor
Use the lsdoctor tool from VMware: https://knowledge.broadcom.com/external/article?legacyId=80469
Upload and unzip lsdoctor on vCenter
Check for issues
1python lsdoctor.py -l
to fix trust mismatches
1python lsdoctor.py -t
vSphere HA
Log File: /var/log/fdm.log
vSphere Lifecycle Manager (vLCM)
Log File: /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log
1cat /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log | grep "error"
Error cannot sync depot
A usual error is that vCenter is unable to reach vmwaredepot. Check DNS, Firewall and HTTP Proxy Settings. The log file indicated it the following:
1--> "error_type": "ERROR",
2--> "messages": [
3--> {
4--> "args": [],
5--> "default_message": "A depot is inaccessible or has invalid contents. Make sure an official depot source is used and verify connection to the depot.",
6--> "id": "com.vmware.vcIntegrity.lifecycle.depotContent.ValidationError"
7--> }
8--> ]
9--> }"
10--> }
Check if you can access VMware Online Depots, from vCenter run:
1 curl -vvv https://hostupdate.vmware.com
You should see a DigiCert Certificate printed:
1* issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
If not, check with your Firewall Team if they do TLS Intercepts.
Also check your connected depots. Maybe there is a old depot still configured (like a old HPE OneView Instance).
HPE OneView for vCenter
Check
1cat /var/log/vmware/envoy/envoy-access.log | grep "hpe"
If you see some SSL Errors like:
1failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: certificate has expired
Verify if the required certs for HPE OneView for vCenter are valid.
Further Troubleshooting Information
Backup and Restore
Backup
Log files:
- /var/log/vmware/applmgmt/backup.log
- /var/log/vmware/applmgmt/backupscheduler.log
- /var/log/vmware/applmgmt/backupschedulercron.log
vCenter Appliance File-Restore
See: VMware Docs
If during a File Level Restore something went run, check your logs at:
/var/log/vmware/applmgmt/restore.log
Restore fails - unable to ssh into machine
If your vCenter Restore has failed and you aren't able to ssh into the machine. Try all the ways to access your vCenter as described in here
vCenter and ESXi
Disconnect ESXi if vCener no longer exists
1cmsso-util unregister --node-pnid vcenter.domain.com --username [[email protected]](mailto:[email protected]) --passwd pw
Forgot Root Password
Simple Method: Login with SSO User
If you forgot your root password or it is expired you can still access the vCenter via GUI or SSH with the SSO Admin User (usually [email protected])
1sudo passwd root
Advanced root password restore
- Emergency boot the vCenter described below
- unlock the root account
1/usr/sbin/faillock --user root --reset
After that you can set a new password
1passwd
Then unmount the filesystem and reboot
1umount /
2reboot -f
Emergency Boot Edit GRUB Bootloader
If you cannot SSH into or open DCUI/Bash Shell (via VM Remote Console) to your vCenter you can access the vCenter without a password the following:
- Access VM Remote Console of the vCenter VM
- Reboot the VM
- press 'e' for emergency mode
- GRUB Bootloader will appear, edit the boot loader the following:
- Append these entries to the end of the line of '...consoleblank=0' with: - 'rw init=/bin/bash'
- Proceed to boot the vCenter VM with pressing F10
- After booting you should be presented with a shell
- run:
1mount -o remount,rw /
After that you can edit configuartion files as needed (in /etc/sysconfig for example)
Make sure you unmount the filesystem and reboot after you have done your configuration
1umount /
2reboot -f