Virtualization, Virtualization Security

vSphere Upgrade Saga: 6.5 — Not Yet, But …

Leave a comment

At the moment, I am waiting for several updates on VMware products to allow an upgrade to vSphere 6.5. Specifically, I am waiting on an upgrade of NSX and VIN that are supported by vSphere 6.5. The other tools I use should be fine with 6.5, but without those, I cannot upgrade. The vSphere Upgrade Saga continues with the following updates.

I was using vCNS 5.5 with vSphere 6.0 but had to migrate that to become NSX for vCenter due to vCNS 5.5 going end of life. So, my steps to prep for upgrading to vSphere/vCenter 6.5 were the following:

  • migrate vShield Manager 5.5 to NSX Manager 6.2.4
  • upgrade vRealize Log Insight to v4.0
  • upgrade vRealize Operations to v6.4
  • ensure host profiles are applied properly (I do this after every major upgrade)

Then wait.

vRealize Components

Upgrading the vRealize Log Insight and Operations components went as planned, with only one hiccup. In order to see the new web interfaces, you may need to clear your cache and cookies and restart your browser. At least, that is what it required for me.

vCNS Migration

Unsurprisingly, someone has already done this, so I just used their instructions, and it was pretty seamless. However, one step not in their list is to first check whether there is space. This is mentioned in this rather confusing KB 2144620 about migrating from vShield Manager to NSX Manager. Why is this confusing? Because it seems to imply that NSX Manager needs to be running first. It does not.

Now the VMware KB 2135959 shows that there is no way to solve any out-of-space problem, but that is not correct. This little gem at http://vcdx56.com/2015/08/vshield-manager-disk-100-full/ not only helped me to find out if the disk was full, but also provided instructions on how to free up space if necessary.

I also found the site https://esxsi.com/2016/07/29/nsx-manager-upgrade/. This site provides in-depth instructions on how to migrate from vShield Manager to NSX Manager with very little fuss. This is the article I followed after I freed up disk space, as my vShield Manager disks were full.

The step about restarting the vCenter Web Client on the vCenter host and restarting your browser to clear any cache is critical. If you do not do this, the NSX extensions will not be part of the Web Client. The importance of this cannot be overstated, as the NSX Manager web UI is now just for managing the Manager, not the NSX Edge or Introspective components. That is now 100% within the Web Client (but not the HTML5 Client).

That left only one last set of steps, for upgrading my vCNS Edge firewalls to NSX Edge firewalls. Those steps are:

  • open vCenter Web Client
  • click on Networking & Security
  • click on NSX Edges
  • click on the Edge to upgrade
  • under Actions, select the “Upgrade  Version” menu item

Repeat this process for each Edge firewall.

To manage the firewall and other rules for each Edge firewall, you do the following:

  • open vCenter Web Client
  • click on Networking & Security
  • click on NSX Edges
  • double click on the Edge to Manage

Host Profiles

I could not get host profiles to remediate everything due to a VSAN Unicast Agent setting. The Unicast Agent is only used when you use a VSAN Witness. My cluster at one time used the witness and used it with a compute only node and several data nodes. In other words, VSAN did not have drives on each node. This, technically, should work, but when I transitioned between the stretch cluster and standard cluster, the Unicast Agent IP was not cleared on the compute node. To fix this in Host Profiles do the following:

  • Clear the Unicast Agent IP Address entry in the Host Profile
  • On the offending node(s) remove the Unicast Agent IP address.

To remove the Unicast Agent IP address use the following from the vSphere Management Assistant or where ever you have esxcli installed.

esxcli -s vCenterHost -h ESXiHost vsan cluster unicastagent remove -a UnicastAgentIPAddress

Now you can recheck host profiles compliance and this particular issue will be resolved.

Final Thoughts

You always update peripheral management components before you upgrade vCenter and ESXi. While we wait for NSX and other tools to be compatible with 6.5, we can still start to upgrade those other items.

Migrating from vShield Manager to NSX Manager is a must if you own any part of the vCNS  (which used to ship with vCloud Suite Enterprise). If you use any introspective components like vShield Endpoint, the NSX Manager for vSphere is the appropriate upgrade path. Security add-ons from VMware are now managed within NSX Manager.

Be sure your host profiles are up to date, if you use them, before an upgrade to save on correcting issues after an upgrade. This is specifically useful for VSAN and Networking.  Misconfigurations could lead to an upgrade failure or lack of knowledge about the source of an issue.

 

Edward Haletky
Edward Haletky
Edward L. Haletky, aka Texiwill, is an author, analyst, developer, technologist, and business owner. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and TVP Strategy where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × two =