This post is more than 5 years old
34 Posts
1
11048
Cannot connect to VBA after MS hotfixes.
After installing Super Tuesday updates on my servers, my VBA backups are all failing with "Unable to connect to VBA emc-ba.it.endgames.local, error Cannot establish session to VBA." And that's literally it. I go to the logs for that job and that's also all it says. All backups were working so, there's really not much else it could be. There is not firewall between networker and the VBA or the ESXi server. When I snoop the connection through WireShark, I see traffic between the two on port 8543, so I'm rather mystified here. I'm in the process of reviewing all the updates to see what might be likely, but I'm hoping someone may have already seen and resolved this, even though I didn't see anything in the forum.
This is Networker 8.1.3 on Windows 2012 with VBA version1.0.3.6.
patrickt333
34 Posts
1
May 15th, 2015 12:00
Really, really surprised this isn't a bigger thing on this community, but in the event someone else comes across it, here's the answer. You can either unininstall KB3061518 or apply the below registry hack.
Modify the windows registry to enable the proper protocols by default. A KB for this procedure is being written by Mahesh.
NOTE: It is highly recommended to backup registry before following this process
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
NOTE: The ‘SSL 2.0’ is set to default of disabled by above and all other Keys under ‘Protocols’ will be overwritten
patrickt333
34 Posts
0
May 14th, 2015 08:00
Everytime I try to open that link, either by clicking on your link or searching through the portal, I get a salesforce.com error. I get this a lot through the EMC portal.
Login Error
Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your salesforce.com administrator for more information.
pawankumawat
355 Posts
0
May 14th, 2015 08:00
Hello,
Following KB article contains solution for it -
https://support.emc.com/kb/195277
Regards,
Pawan
patrickt333
34 Posts
0
May 14th, 2015 09:00
Well, I'd love to do that, except the cert on this appliance is STILL insecure and now after the hotfixes, even IE won't connect to it. I've tried FF, Chrome, safari, and IE and none of them will connect to the appliance due to an insecure cert.
pawankumawat
355 Posts
0
May 14th, 2015 09:00
Issue -
The NetWorker VMware Protection integration is configured in the environment and scheduled backups were working successfully. The policies started encountering a failed state and the policy message shows:
Unable to connect to VBA [EBR_APPLIANCE], error Cannot establish session to VBA.
When you log into the EMC Backup & Recovery (EBR) Virtual Backup Appliance the "dpnctl status" command indicates that the mcs service is down. The EBR web configuration screen only shows that the backup scheduler service is down. Attempting to start the mcs service with "dpnctl start mcs" fails to properly start the mcs service.
The dpnctl.log, under the /usr/local/avamar/var/log/ directory, shows:
YYYY/MM/DD-HH:MM:SS Starting Administrator Server...
YYYY/MM/DD-HH:MM:SS Started
YYYY/MM/DD-HH:MM:SS Caught Fault -
YYYY/MM/DD-HH:MM:SS Type : com.vmware.vim25.InvalidLogin
YYYY/MM/DD-HH:MM:SS Actor : null
YYYY/MM/DD-HH:MM:SS Code : null
YYYY/MM/DD-HH:MM:SS Reason : Cannot complete login due to an incorrect user name or password.
YYYY/MM/DD-HH:MM:SS Fault String : Cannot complete login due to an incorrect user name or password.
YYYY/MM/DD-HH:MM:SS Exception running : VMWare
YYYY/MM/DD-HH:MM:SS - - - - - - - - - - - - - - - END
YYYY/MM/DD-HH:MM:SS dpnctl: ERROR: error return from "[ -r /etc/profile ] && . /etc/profile ; /usr/local/avamar/bin/mcserver.sh --start" -exit status 1
Resolution
Update the vCenter registration information under the EBR configuration screen. If the vCenter server registration fails to save with the SSO username and password, ensure the password has not expired. If expired, update the SSO password via the vSphere Web client interface. Once the vCenter registration information is updated, the EBR appliance needs to be restarted.
patrickt333
34 Posts
0
May 14th, 2015 10:00
Maybe a better question is, Does the 8.2.1 VBA upgrade work with 8.1.3 server? And does it fix all the ssl stuff?
patrickt333
34 Posts
0
May 14th, 2015 11:00
Alright, I found a desktop with an unpatched IE and got into the admin interface. But this did not fix the issue. I updated both the VMWare and NetWorker configs.
yck23
3 Posts
1
May 19th, 2015 01:00
Hi,
uninstall of KB3061518 clear the issue for me
the registry hack/tweak doesn´t work (maybe you have another workaround)
thanks
br
Harri
Windows 2008 R2, Networker 8.2.1, VBA 1.1.1.46
yck23
3 Posts
0
May 19th, 2015 05:00
ok, not good to hear that you have new issues...
i´ve opened a ticket by our networker partner, maybe the provide a permanent fix
patrickt333
34 Posts
1
May 19th, 2015 05:00
I didn't try the registry tweak, was just copying the info EMC support sent me. Unfortunately, I now have a whole new set of issues with VBA backups.
sddc_guy
159 Posts
3
May 19th, 2015 08:00
See our friends from MS:
https://support.microsoft.com/en-us/kb/3061518
To edit this registry entry, follow these steps:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
yck23
3 Posts
0
May 20th, 2015 00:00
Hi HyperV Guy,
thanks fr providing me with this update (my supporter also send me this info)
this registry tweak works without uninstalling the KB
thx
br
Harri
gestioneruc1
2 Posts
1
May 20th, 2015 04:00
ok.
shutdown EBR;
in my case, Networker 8.1.1.2 in installed on a Windows server 2012 and there i was removed KB by uninstalling them
remember that this KB on Windows 2012 don't create any registry key, as mentioned from Microsoft in https://support.microsoft.com/en-us/kb/3061518 Security update deployment information
then, create this DWORD ClientMinKeyBitLength with this value 00000200 in this path of registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
then go to networker management console, go to device tab, and enable VBA device (vmware internal storage target);
restart Networker Server
restart VBA (ebr);
thats work for me.
patrickt333
34 Posts
0
May 20th, 2015 04:00
Just to be clear (and I'm taking an educated guess here), performing the registry tweak is likely identical to the patch. I preferred deferring the patch so that when EMC fixes it, I'll be able to re-apply rather than having a permanent registry hack I'll likely forget about. Just my preference, YMMV.
AQMDS
2 Posts
0
June 4th, 2015 23:00
Hello,
I Just Uninstall of KB3061518 and issue has been solved.
I am using Windows 2012 R2, Networker 8.2.1, VBA 1.1.1.50
BR
A,Q