Author: Wouter

Back to basics: Daily checks

  By , ,

Something I still hear a lot that system engineers take their vSphere environment for granted and hardly check anything on a daily basis. I always point them at Alan Renouf‘s brilliant health check script while there are other ways to get your daily dose of health this one still rocks for me. You can remove unwanted plugins or make different selections of plugins for daily, weekly or monthly checks. Now and then I still hear people that had issues because of snapshots and there is no need for that anymore and hasn’t been for years! This script has saved me lots of times already + it helped me get management support for limiting other people’s access to the environment because they had no idea what they where doing.

Example of the output you can get:

2016-07-03 20_13_59-192.168.0.11 vCheck

 

#VMworld here I come

  By

Earlier this year my boss agreed to let me go to VMworld this year. Finally my VMworld virginity will be taken. Although I am from The Netherlands he also let me choose were to go, Barcelona or Vegas and since I visited neither I decided to go for Vegas. I am really looking forward to this although I expect to be flabbergasted a lot!

Schedule

I will be flying out on Friday august 26th and back on Friday september 2nd. Saturday and Sunday 27-28th of august the menu consists of the Partner Exchange and maybe some free time Saturday evening. From Monday the 29th (my birthday!) it will be time for the real event: VMworld itself, my expectations are that in the evenings I will be dead beat by all the gained knowledge but will try to visit some parties here and there. I have no idea yet how I get there or how that goes but Tuesday the 30th it’s time for the big VMworld party this year starring Fall Out Boy and Capital Cities this year it will be held at the Las Vegas Motor Speedway thursday will probably be half a day some maybe some spare time!

Content

looking at content I will be interested the most in EUC and common vSphere stuff. Also I might take a peek at some automation sessions.

Presenting

Wil I be presenting? Not sure yet, maybe a vBrownbag techtalk 🙂

NSX 6.2.3 release includes vShield license

  By ,

Until now if you wanted agentless anti-malware but not owned full blown NSX you needed vShield that VMware had announced it to go EOL in september. As expected VMware announced today NSX 6.2.3 that includes a vshield License.Sadly it still only supports anti-malware so don’t expect a lot of ransomware protection to be done agentless.

The rest of the changes:

 

Changes introduced in NSX vSphere 6.2.3:

Logical Switching and Routing

NSX Hardware Layer 2 Gateway Integration: expands physical connectivity options by integrating 3rd-party hardware gateway switches into the NSX logical network

New VXLAN Port 4789 in NSX 6.2.3 and later: Before version 6.2.3, the default VXLAN UDP port number was 8472. See the NSX Upgrade Guide for details.

Networking and Edge Services

New Edge DHCP Options: DHCP Option 121 supports static route option, which is used for DHCP server to publish static routes to DHCP client; DHCP Options 66, 67, 150 supports DHCP options for PXE Boot; and DHCP Option 26 supports configuration of DHCP client network interface MTU by DHCP server.

Increase in DHCP Pool, static binding limits: The following are the new limit numbers for various form factors: Compact: 2048; Large: 4096; Quad large: 4096; and X-large: 8192.

Edge Firewall adds SYN flood protection: Avoid service disruptions by enabling SYN flood protection for transit traffic. Feature is disabled by default, use the NSX REST API to enable it.

NSX Edge — On Demand Failover: Enables users to initiate on-demand failover when needed.

NSX Edge — Resource Reservation: Reserves CPU/Memory for NSX Edge during creation. Admin user can modify the CPU/Memory settings after NSX Edge deployment using REST API to configure VM appliances.

Change in NSX Edge Upgrade Behavior: Replacement NSX Edge VMs are deployed before upgrade or redeploy. The host must have sufficient resources for four NSX Edge VMs during the upgrade or redeploy of an Edge HA pair. Default value for TCP connection timeout is changed to 21600 seconds from the previous value of 3600 seconds.

Cross VC NSX — Universal Distributed Logical Router (DLR) Upgrade: Auto upgrade of Universal DLR on secondary NSX Manager, once upgraded on primary NSX Manager

Flexible SNAT / DNAT rule creation: vnicId no longer needed as an input parameter; removed requirement that the DNAT address must be the address of an NSX Edge VNIC.

NSX Edge VM (ESG, DLR) now shows both Live Location and Desired Location. NSX Manager and NSX APIs including GET api/4.0/edges//appliances now return configuredResourcePool and configuredDataStore in addition to current location.

Security Services

Distributed Firewall — TFTP ALG: enables use cases such as network boot for VMs.

Firewall — Granular Rule Filtering: simplifies troubleshooting by providing granular rule filters in UI, based on Source, Destination, Action, Enabled/Disabled, Logging, Name, Comments, Rule ID, Tag, Service, Protocol.

Guest Introspection — Windows 10 support

SSL VPN Client — Mac OS El Capitan support

Service Composer — Performance Improvements: enables faster startup/reboot of NSX Manager by optimizing synchronization between security policy and firewall service, and disabling auto-save of firewall drafts by default.

Service Composer — Status Alarms: raises system alarm if security policy is out-of-sync, and takes specific actions based on alarm code to resolve issue.

Operations and Troubleshooting

NSX Dashboard: Simplifies troubleshooting by providing visibility into the overall health of NSX components in one central view.

Traceflow Enhancement — Network Introspection Services: Enhances ability to trace a packet from source to destination, by identifying whether packets were forwarded to 3rd-party network introspection services, and whether the packet comes back from the 3rd-party service VM or not.

SNMP Support: Configure SNMP traps for events from NSX Manager, NSX Controller, and Edge.

Logging is now enabled by default for SSL VPN and L2 VPN. The default log level is notice.

Firewall rules UI now displays configured IP protocols and TCP/UDP port numbers associated with services.

NSX Edge technical support logs have been enhanced to report memory consumption per process.

Central CLI Enhancements

Central CLI for Host Health: Shows host health status, with 30+ checks in one command (including network config, VXLAN config, resource utilization, etc.)

Central CLI for Packet Capture: Provides ability to capture packet on the host and transfer the capture file to user’s remote server. This eliminates the need to open up hypervisor access to network administrators, when troubleshooting logical network issues.

Technical support bundle per host: Gathers per-host logs and creates a bundle that can be saved and submitted to VMware technical support for assistance.

Licensing Enhancements

Change in default license & evaluation key distribution: default license upon install is “NSX for vShield Endpoint”, which enables use of NSX for deploying and managing vShield Endpoint for anti-virus offload capability only. Evaluation license keys can be requested through VMware sales.

License usage reporting: NSX license usage counts are displayed on NSX Manager’s Summary UI and also retrievable via API. NSX license usage counts will no longer be reported through vCenter licensing service.

Solution Interoperability

Customer Experience Improvement Program: NSX supports reporting system statistics via the VMware Customer Experience Improvement Program (CEIP). Participation is optional and is configured in the vSphere Web Client.

VMware vRealize Log Insight 3.3.2 for NSX provides intelligent log analytics for NSX, with monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis and alerts. This version accepts NSX Standard/Advanced/Enterprise edition license keys issued for NSX 6.2.2+.

Beware of the Windows 7 & Server 2008 R2 convenience patch!!

  By

While it is a nice thing for Microsoft to make the convenience patch for Windows 7 and Server 2008 R2 users it seems to break some things. When you are using VMXnet3 vcnic’s in your vm’s as you should it throws away the old card and creates a new one. To fix this you can uninstall the old card after enabling to view hidden devices in your device manager and adding the IP data to the new nic. Be aware that this might create issues with software that is licensed using mac addresses. According to Microsoft you can also uninstall the patch but I think that would be the last resort for me.

More info from VMware: http://blogs.vmware.com/apps/2016/06/rush-post-microsoft-convenience-update-and-vmware-vmxnet3-incompatibilities.html

The Microsoft KB: https://support.microsoft.com/en-us/kb/3125574

Timecheck please!

  By

Something I still see now and then, and have had big issues with in the past, is the time on ESXi hosts. Sometimes no ntp servers have been set or the ESXi hosts can’t connect to them. Other times ntp servers have been set but not the time so they’re still off. Normally this shouldn’t be a problem but since a VM always takes on the time of the hosts it is moving to during a vmotion this can cause issues on database servers.

In my last situation the ntp servers where correct but the time was off and somehow never properly synced to the ntp hosts. To fix this I created 2 scripts, one to check the ntp settings and current time and another to set the time.

$style = "<style>BODY{font-family: Arial; font-size: 10pt;}"
$style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}"
$style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }"
$style = $style + "TD{border: 1px solid black; padding: 5px; }"
$style = $style + "</style>"
$esxihosts=Get-VMHost | Sort Name | Select Name,  @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, Timezone, @{N="CurrentTime";E={(Get-View $_.ExtensionData.ConfigManager.DateTimeSystem) | Foreach {$_.QueryDateTime().ToLocalTime()}}}, @{N="ServiceRunning";E={(Get-VmHostService -VMHost $_ |Where-Object {$_.key-eq "ntpd"}).Running}} 
$esxihosts | convertto-html -head $style -property  name,NTPServer,TimeZone,CurrentTime,ServiceRunning | out-file timecheck.html
start timecheck.html

Nothing fancy, you need to be connected to your vcenter in advance but it makes and opens a nice html file with your ntp settings and current time on your ESXi hosts.

This is the output it makes:

2016-05-24 20_23_21-Mozilla Firefox

Then it was time to make the other script, since sometimes it might take a few secs to set the time I decided to check my local time before every set of a time on an ESXi host.

Get-VMHost | Where-Object {
$t = Get-Date
$dst = $_ | %{ Get-View $_.ExtensionData.ConfigManager.DateTimeSystem }
$dst.UpdateDateTime((Get-Date($t.ToUniversalTime()) -format u))
}

Again nothing fancy but it does the trick perfectly.

Bye bye good old vSphere Client

  By

As seen about everywhere on the interwebs VMware has announced it’s saying bye bye to the good old C# Client, with the next release of vShpere it will not be available anymore. Don’t be afraid that you now need to use the flash client (which has improved considerably in recent vSphere 6.0 releases!) because Vmware has also announced the HTML5 Web Client will be a supported release pretty soon. For your ESXi hosts the HTML5 Host Client already was embedded in 6.0u2.

I can rewrite this but VMware describes it this way on their blog:

Today we have two important announcements. First, the C# client (AKA Desktop Client/thick client/vSphere Client for Windows) will not be available for the next version of vSphere. Current versions of vSphere (6.0, 5.5) will not be affected, as those will follow the standard support period. You’ve heard this from us in the past, but we’ve been waiting for a sufficient replacement before finally moving forward. Second, we want to talk about the recent vSphere HTML5 Web Client Fling, user adoption, and VMware’s focus on bringing a great user experience. Like the Embedded Host Client Fling (which made it into vSphere in 6.0U2), we plan on bringing this product into a supported release soon.

We’ll be referring to the new client as the vSphere Client, as it better describes the product, and isn’t a ten syllable mouthful (vSphere HTML5 Web Client).

Looking to the Future

VMware has been working towards the transition to HTML5 with the Platform Services Controller UI, vCenter Server Appliance Management UI, and the Host Client. All three of these were very well received and have become the official interfaces for their respective components. The last (and biggest) one to tackle was the management interface for vCenter Server.

vSphere Web Client has always been intended to be the replacement for the Desktop client, and many of our users have tried to embrace this during the vSphere 5.5 and vSphere 6.0 periods, spending their time working within the Web Client even with the Desktop client available.

While there were certainly issues with the 5.5 and 6.0 Web Client, many users that committed to the experience came to enjoy many of the new features and usability improvements. We also continued to listen to our customers, making further efforts to improve the Web Client experience have been made across 5.5U3, 6.0U1 and 6.0U2, including VUM (vSphere Update Manager) in 6.0U1 Web Client. We have made the Desktop client available during this period, which was much longer than originally planned. But now that time is ending.

Additionally, due to the shift in backend services going from vSphere 6.0 to the next version, updating the Desktop client would have required a huge investment. This may have been okay in a vacuum, but the required resources would have severely impacted the progress of the new vSphere Client, only to end up with four clients for users to juggle. We decided to focus on bringing the new vSphere Client (HTML5 based) up to speed as fast as possible, simultaneously offering a great user experience and getting off of Flash.

The new vSphere Client (HTML5)

(Try it here: https://labs.vmware.com/flings/vsphere-html5-web-client)

2016-03-07_1741_H5client_-_screenshot0

This decision is about VMware trying to provide the best user experience: a fast, reliable, scalable modern interface that allows you to get your work done is our primary goal. The new vSphere Client is the best way to achieve that goal. Many have already tried out the Fling (https://labs.vmware.com/flings/vsphere-html5-web-client), with approximately 40% of survey respondents deploying it into Production and using it daily to manage their critical environments. With this Fling, we’ll keep the user experience mostly the same as the Web Client, which we’ve improved, based on your feedback. We also plan on making additional improvements to make it easier for C# users to transition.

One benefit of the Fling delivery model is very fast turnaround. We’ve been able to release a new version of the Fling every week, with new features, bug fixes, and performance improvements. More importantly, we’ve been able to quickly incorporate user feedback into the product. Sometimes this means simple bug fixes, sometimes this means changing our priorities to better address user needs. While this pace and model of delivery may not be used for the fully supported releases, due to testing time required, we likely will continue to use the Fling releases to stay on track with users. A fundamental part of this high touch engagement model is users staying as up-to-date as possible, and most of our Fling users are doing just that, so thank you!

Plugins

We also recognize how important plugins are, and the transition from Web Client to vSphere Client will take second and third-party plugins into account. We’ve already started engaging with plugin developers of all sorts to get them moving to the HTML bridge, which will allow the creation of a single plugin that is forward and backward compatible with both the vSphere Client and the Web Client, creating a smooth transition path. If you require more information on plugin migration, please contact us. One great source of information is this site which contains a lot of future looking information about vCenter. This site will be updated as more information becomes available, so keep an eye on it: http://www.vmware.com/products/vcenter-server/future-overview/overview.html

We do expect the plugin transition to take some time, and this means that we expect to ship the Flex based Web Client and the HTML5 based vSphere Client side by side for some uncertain period. Everyone is very eager to have the new vSphere Client as the only client, but we want to respect the porting development time our partners require.

Seeking your Feedback

Hopefully these announcements come as a shock to no one – they are simply a reiteration of the message VMware has given for years. We are continually working to make vSphere Client a fast, reliable, and scalable product that provides a great overall experience. If you have any comments, please post them below. We’d like to hear feedback from all points of view, as we look to the future instead of the past.

Dennis Lu

Product Manager, vSphere Clients

 

My experience with the vcap6-dtm design beta exam

  By

At the end of march i received a mail by VMware to take part in the VCAP6-DTM Design beta exam. I received this probably because I took part in (and passed) the vcp6-dtm exam in January. There was not a lot of preparation time available since the last day to take the exam was april 15th but with 2 weeks and a couple of days worth I thought it might be a good exercise for me. Having hardly any design experience and no experience doing vcap exams I saw this as a learning exercise  from the start. About 1 to 3 hours I spend every day going over all the white papers en reviewing reference designs.

I decided to take this exam in the afternoon because of the length, normally I do exams in the morning but guessing I would need every minute I had to spare and then for me personally the afternoon was a better fit. The exam itself consisted of multiple drag & drops and the visio simulator. Everything seemed to work fine to me but the small monitors they have in my exam center didn’t really help with the visio parts. I answered most of the questions to my best knowledge. One question was about all the ports that needed to be opened in the firewall and that was something I decided on not to study to hard on since those things need more then 1 or 2 reads to cram them in my head. I made the drawing for the functional part but added no ports. In other questions I think they where heading to something but the restrictions in the questions ruled that out and I explained that in my remarks.

In the end I have totally no idea if I passed but if not I will be sure to do this exam once more. I have been waiting for a month now but guess I might need to wait another month for the results. My goals is already reached by doing the exam and having experience in what they might ask next time.