VMworld 2016 US report part 2

Òk so in part 1 I stopped after the Partner General Session. After lunch I wanted to do some labs but the queue was really awfull so I decided to attend a group discussion about vCloud air or mobile management in general. I got some good info on the view about this from the us people while I managed to spice it up now and then with things we dutchies like or don’t like.

Monday was the first real day of VMworld. During the keynote VMware cloud foundation was announced but I don’t think I will use this multi cloud management platform in the near future. After this it was time to prepare for my vBrownbag session. I was really nervous and went over my stuf way to fast so I was done in 6 minutes or something. If you want you can find it here.

The afternoon I had 2 awesome sessions: enforcing a vSphere cluster design  with powercli by Duncan Epping and Chris Wahl and after that a ask the experts session about VDI wich where both just awesome. I finished the day at the CXI Party on the 59th floor of the cosmopolitan with a great view.

14102460_10202128465930216_419183725346827878_n

VMworld 2016 US report part 1

RIght now I am setting in the Partner Exchange lounge and since I have some time at hand it might be time for a short message from the US. Since this is my first VMworld, first time in the USA I have to admin I am really in awe of everything over here. Everything is just soo big.

Now about VMworld itself, yesterday I was in a vRealize Automation bootcamp for the whole day and really liked it. It seems to be very complicated but after you create the blueprints everything will be easy (Really?) I do see the advantages that are to be gained so it was nice. In the end we went over all exam questions as a group before most of us did the exams. I managed to pass the first but with the 2nd one I really started to get tired so I’ll gues I need to do that again. We do have 99 times to try it so it’ll be good.

Now to the sunday morning. I had 2 deepdive sessions. One about EUC & NSX and the other one about app volumes. Both where not as deep as I expected but a lot of knowledge was gained in those 2 hours. After that we had the Partner General session were wounded warrior Pat Gelsinger had a nice chat with Michael Dell and we had some information on stuff that is coming in the near future.

If I made some typos in this: they where on purpose or I blame the fact that I am still getting used to the time difference 😀

vExpert 2016

Last friday I received word that I was added as vExpert in the 2nd batch of 2016. After several people nudged me to apply for this I went ahead but never expected to be chosen. vExpert is no technical title but more of an award for people who have done things for the VMware community like speaking at Vmug’s (which I did but failed at), blogging, tweeting en being an advocate for it with your employer or customers. I never did the things I did last year for this goal but it’s an awesome acknowledgement.

I hope to be able to keep contributing to this awesome community and will do so as long as I have content. The first thing will be speaking at the vBrownbag sessions at VMworld US 2016!

vExpert-2016-Badge

Login Monitor Script & Check MK

Last night Paul Grevink posted a nice post about the basic setup for Check MK and i am really looking forward to the rest of the series. At my current customer we are also using Check MK so i decided to use the script I made for the VMware Login monitor fling to give output usable for Check MK. At first I was messing with the plugin folder in the check mk folder on the windows server hosting the txt files but a colleague pointed me at the local folder. The big difference is that with the local folder Check MK directly uses the output and the plugin monitor it needs another python file on the check mk server to use the data.

The script:

As you can see I am not only using the average logontime as before, I also count the amount of logons in the time where we measure this time. Offcourse you can create lots more data to use in Check MK this way

The output I create:

  • The first digit is the status, 0 for ok 1 for warning and 2 for critical.
  • After that the service name that shows in Check MK
  • The come the 2 numbers we created with their own description separated by | This is used by Check MK to create a diagram
  • then separated by a space (and after this you can use spaces) the text that wil show in Check MK.

The result:

2016-08-11 21_12_01-Beheerders Desktop

The diagram:

2016-08-11 21_14_01-Beheerders Desktop

Installed the VMware Logon monitor, now what? Let’s make a script!

A while back VMware released the Logon monitor fling. I thought this was a very useful expansion of out toolkit.

So I decided to fling in our golden image to see how it behaves. After playing around with it, it writes the log files away to a share so in case we have some logon issues we might be able to find what is going on. It’s running for a couple of weeks now and we haven’t had any issues yet.

But when do you have logon issues? most of the time you hear about this is when users start calling. Wouldn’t it be great if you could already be searching when they call if they call at all? I decided to write a script that reads the logon time from all text files from the last 15 minutes and makes an average out of it. As usual it ain’t fancy at all but seems to be speedy and does the trick for me.

Again nothing fancy about this script, it just displays the average value and since we use nagios it can use this directly. You can do anything you want with it, add stuff, use other info. I might even make a bigger script to be able to output anything usable from this nice little fling.

Back to basics: Daily checks

Something I still hear a lot that system engineers take their vSphere environment for granted and hardly check anything on a daily basis. I always point them at Alan Renouf‘s brilliant health check script while there are other ways to get your daily dose of health this one still rocks for me. You can remove unwanted plugins or make different selections of plugins for daily, weekly or monthly checks. Now and then I still hear people that had issues because of snapshots and there is no need for that anymore and hasn’t been for years! This script has saved me lots of times already + it helped me get management support for limiting other people’s access to the environment because they had no idea what they where doing.

Example of the output you can get:

2016-07-03 20_13_59-192.168.0.11 vCheck

 

#VMworld here I come

Earlier this year my boss agreed to let me go to VMworld this year. Finally my VMworld virginity will be taken. Although I am from The Netherlands he also let me choose were to go, Barcelona or Vegas and since I visited neither I decided to go for Vegas. I am really looking forward to this although I expect to be flabbergasted a lot!

Schedule

I will be flying out on Friday august 26th and back on Friday september 2nd. Saturday and Sunday 27-28th of august the menu consists of the Partner Exchange and maybe some free time Saturday evening. From Monday the 29th (my birthday!) it will be time for the real event: VMworld itself, my expectations are that in the evenings I will be dead beat by all the gained knowledge but will try to visit some parties here and there. I have no idea yet how I get there or how that goes but Tuesday the 30th it’s time for the big VMworld party this year starring Fall Out Boy and Capital Cities this year it will be held at the Las Vegas Motor Speedway thursday will probably be half a day some maybe some spare time!

Content

looking at content I will be interested the most in EUC and common vSphere stuff. Also I might take a peek at some automation sessions.

Presenting

Wil I be presenting? Not sure yet, maybe a vBrownbag techtalk 🙂

NSX 6.2.3 release includes vShield license

Until now if you wanted agentless anti-malware but not owned full blown NSX you needed vShield that VMware had announced it to go EOL in september. As expected VMware announced today NSX 6.2.3 that includes a vshield License.Sadly it still only supports anti-malware so don’t expect a lot of ransomware protection to be done agentless.

The rest of the changes:

 

Changes introduced in NSX vSphere 6.2.3:

Logical Switching and Routing

NSX Hardware Layer 2 Gateway Integration: expands physical connectivity options by integrating 3rd-party hardware gateway switches into the NSX logical network

New VXLAN Port 4789 in NSX 6.2.3 and later: Before version 6.2.3, the default VXLAN UDP port number was 8472. See the NSX Upgrade Guide for details.

Networking and Edge Services

New Edge DHCP Options: DHCP Option 121 supports static route option, which is used for DHCP server to publish static routes to DHCP client; DHCP Options 66, 67, 150 supports DHCP options for PXE Boot; and DHCP Option 26 supports configuration of DHCP client network interface MTU by DHCP server.

Increase in DHCP Pool, static binding limits: The following are the new limit numbers for various form factors: Compact: 2048; Large: 4096; Quad large: 4096; and X-large: 8192.

Edge Firewall adds SYN flood protection: Avoid service disruptions by enabling SYN flood protection for transit traffic. Feature is disabled by default, use the NSX REST API to enable it.

NSX Edge — On Demand Failover: Enables users to initiate on-demand failover when needed.

NSX Edge — Resource Reservation: Reserves CPU/Memory for NSX Edge during creation. Admin user can modify the CPU/Memory settings after NSX Edge deployment using REST API to configure VM appliances.

Change in NSX Edge Upgrade Behavior: Replacement NSX Edge VMs are deployed before upgrade or redeploy. The host must have sufficient resources for four NSX Edge VMs during the upgrade or redeploy of an Edge HA pair. Default value for TCP connection timeout is changed to 21600 seconds from the previous value of 3600 seconds.

Cross VC NSX — Universal Distributed Logical Router (DLR) Upgrade: Auto upgrade of Universal DLR on secondary NSX Manager, once upgraded on primary NSX Manager

Flexible SNAT / DNAT rule creation: vnicId no longer needed as an input parameter; removed requirement that the DNAT address must be the address of an NSX Edge VNIC.

NSX Edge VM (ESG, DLR) now shows both Live Location and Desired Location. NSX Manager and NSX APIs including GET api/4.0/edges//appliances now return configuredResourcePool and configuredDataStore in addition to current location.

Security Services

Distributed Firewall — TFTP ALG: enables use cases such as network boot for VMs.

Firewall — Granular Rule Filtering: simplifies troubleshooting by providing granular rule filters in UI, based on Source, Destination, Action, Enabled/Disabled, Logging, Name, Comments, Rule ID, Tag, Service, Protocol.

Guest Introspection — Windows 10 support

SSL VPN Client — Mac OS El Capitan support

Service Composer — Performance Improvements: enables faster startup/reboot of NSX Manager by optimizing synchronization between security policy and firewall service, and disabling auto-save of firewall drafts by default.

Service Composer — Status Alarms: raises system alarm if security policy is out-of-sync, and takes specific actions based on alarm code to resolve issue.

Operations and Troubleshooting

NSX Dashboard: Simplifies troubleshooting by providing visibility into the overall health of NSX components in one central view.

Traceflow Enhancement — Network Introspection Services: Enhances ability to trace a packet from source to destination, by identifying whether packets were forwarded to 3rd-party network introspection services, and whether the packet comes back from the 3rd-party service VM or not.

SNMP Support: Configure SNMP traps for events from NSX Manager, NSX Controller, and Edge.

Logging is now enabled by default for SSL VPN and L2 VPN. The default log level is notice.

Firewall rules UI now displays configured IP protocols and TCP/UDP port numbers associated with services.

NSX Edge technical support logs have been enhanced to report memory consumption per process.

Central CLI Enhancements

Central CLI for Host Health: Shows host health status, with 30+ checks in one command (including network config, VXLAN config, resource utilization, etc.)

Central CLI for Packet Capture: Provides ability to capture packet on the host and transfer the capture file to user’s remote server. This eliminates the need to open up hypervisor access to network administrators, when troubleshooting logical network issues.

Technical support bundle per host: Gathers per-host logs and creates a bundle that can be saved and submitted to VMware technical support for assistance.

Licensing Enhancements

Change in default license & evaluation key distribution: default license upon install is “NSX for vShield Endpoint”, which enables use of NSX for deploying and managing vShield Endpoint for anti-virus offload capability only. Evaluation license keys can be requested through VMware sales.

License usage reporting: NSX license usage counts are displayed on NSX Manager’s Summary UI and also retrievable via API. NSX license usage counts will no longer be reported through vCenter licensing service.

Solution Interoperability

Customer Experience Improvement Program: NSX supports reporting system statistics via the VMware Customer Experience Improvement Program (CEIP). Participation is optional and is configured in the vSphere Web Client.

VMware vRealize Log Insight 3.3.2 for NSX provides intelligent log analytics for NSX, with monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis and alerts. This version accepts NSX Standard/Advanced/Enterprise edition license keys issued for NSX 6.2.2+.

Beware of the Windows 7 & Server 2008 R2 convenience patch!!

While it is a nice thing for Microsoft to make the convenience patch for Windows 7 and Server 2008 R2 users it seems to break some things. When you are using VMXnet3 vcnic’s in your vm’s as you should it throws away the old card and creates a new one. To fix this you can uninstall the old card after enabling to view hidden devices in your device manager and adding the IP data to the new nic. Be aware that this might create issues with software that is licensed using mac addresses. According to Microsoft you can also uninstall the patch but I think that would be the last resort for me.

More info from VMware: http://blogs.vmware.com/apps/2016/06/rush-post-microsoft-convenience-update-and-vmware-vmxnet3-incompatibilities.html

The Microsoft KB: https://support.microsoft.com/en-us/kb/3125574

Timecheck please!

Something I still see now and then, and have had big issues with in the past, is the time on ESXi hosts. Sometimes no ntp servers have been set or the ESXi hosts can’t connect to them. Other times ntp servers have been set but not the time so they’re still off. Normally this shouldn’t be a problem but since a VM always takes on the time of the hosts it is moving to during a vmotion this can cause issues on database servers.

In my last situation the ntp servers where correct but the time was off and somehow never properly synced to the ntp hosts. To fix this I created 2 scripts, one to check the ntp settings and current time and another to set the time.

Nothing fancy, you need to be connected to your vcenter in advance but it makes and opens a nice html file with your ntp settings and current time on your ESXi hosts.

This is the output it makes:

2016-05-24 20_23_21-Mozilla Firefox

Then it was time to make the other script, since sometimes it might take a few secs to set the time I decided to check my local time before every set of a time on an ESXi host.

Again nothing fancy but it does the trick perfectly.