VMware ESXi shutdown incomplete for newer hosts

There are other threads about VMware shutdowns not working as expected. While I cannot provide a solution for this, there is maybe a hint in this post.

History and Symptoms

After a power outage two of our VMware ESXi hosts did not shut down completely. All VMs where shut down and the hosts were put to maintenance mode. However, the hosts were not shut down.

Other VMware ESXi hosts were completely shut down, as expected.

Power came back very soon. The UPS was still running at that time. I left the maintenance mode for the two hosts manually and started the VMs manually for those two hosts. The other hosts were booting fine automatically.

Lots of login errors were logged in the vSphere Web Client after the hosts and VMs were powered up again.  The error message was like “user@[IP vMA with PCNS] could not log in. Insufficient permissions”. The errors were only for the two vSphere hosts.

Analysis Part 1 – Login Errors in vSphere Web Client

With the information from the thread

https://community.se.com/t5/APC-UPS-Data-Center-Enterprise/bd-p/datacenter-forum

the login error issue visible in the vSphere Web client was fixed quickly.

PCNS error log after the reboot, multiple entries of the same type:

ERROR pool-80-thread-1 com.apcc.m11.components.Shutdowner.Hosts.ESXManagedHost - Failed to take host out of maintenance mode: myhost14.my.domain

Obviously PCNS was trying to take the two hosts out of the maintenance mode. I could stop this by emptying /opt/APC/PowerChute/group1/VirtualizationFileStore.properties. From the thread above I learned this is the “things to be done after reboot” list.

The question is why PCNS could not log into the two hosts. There is no more information about that in the error log of PCNS. I assume that PCNS was trying to log into the two hosts directly – although the vCenter Server Appliance was up and running. Another option is that – for whatever reason – the vCenter Server Appliance could not “forward” the command of PCNS.

Analysis Part 2 – No complete shutdown of two hosts

PCNS error log at the time of the shutdown:

ERROR Thread-33 com.apcc.m11.components.WebServer.util.virtualization.VMWareConnection - getESXiHostConnection, Host myhost14.my.domain - (NoPermission or InvalidLogin) [no details available]

ERROR Thread-33 com.apcc.m11.components.Shutdowner.Hosts.ESXManagedHost - checkForVCSAVMAndHostInCriticalHosts - cannot obtain HostSystem using findByIP and findByDnsName for critical host myhost14.my.domain

I assume the second line is just a consequence of the first line. Again I assume that PCNS tried to log into the vSphere host directly to shut down the host – although the vCenter Server appliance was still up and running. Still the other alternative I see is that the vCenter Server Appliance did not forward the command.

Analysis Part 3 – Differences of the Servers

So far the issue is narrowed down to a login problem. The questions is why the login problem happened on two servers, but not on others.

The two affected hosts are newer. I compared the permission settings of the older and the two newer hosts.

The user configured in PCNS is “vmware-pcns@my.win.domain”. This user is a member of the group “VMware-Administrators@my.win.domain”, which we use to set permissions.

In the vSphere Web Client the group is displayed as “MY.WIN.DOMAIN\VMware-Administrators” in the permissions tab. This is displayed for the older and the two newer hosts.

I checked the permissions again using the (old) vSphere C# Client. For the older host the entry is “MYWINDOMAIN\vmware-administrators”. For the two newer hosts there is no such entry at all.

We are writing installation and configuration blogs for each machine in our IT landscape. A look in the past showed that we have added the older hosts to the Active Directory using the vSphere C# Client, while the two newer were added using the vSphere Web Client.

Maybe the mixed use of capital and small letters vs small letters only is another indication.

Idea for PCNS Improvement

This is just a side note on that case. I think it is an essential information to display the ability to log into each vSphere host individually. The individual login is used when the vCenter Server (Applicance) is not available and it is important to know whether it is working or not.

There is a “Check Details” button to verify whether PCNS can connect to the UPS. And I can check indirectly whether PCNS can log into the vCenter Server (Appliance) by clicking the menu item “Host Protection”. There is no way to check the individual host login from the PCNS web interface.

A button “Check Connectivity” would make sense. It might display:

1) Connection to the UPS

2) Connection to the vCenter Server (Appliance)

3) Connection to each vSphere ESXi host individually

A green “OK” checkmark or a red “X” behind each line would indicate the connectivity.

Environment

We use PCNS 4.1, vSphere 6, latest version of vCenter Server Appliance, vCenter Server Appliance and vMA with PCNS are on one of the older hosts. There is no other (global) user to set permissions. The group mentioned above is set globally.