## Extended Unstun Times with VVOLs and Veeam Proxy Fixed in 9.5 Update 3

Recently Veeam released Veeam Backup and Replication 9.5 Update 3″ This update has brought a number of fixes and additional features that you can read about in Anthony Spiteri’s post VEEAM BACKUP & REPLICATION 9.5 UPDATE 3 – TOP NEW FEATURES

This particular release brings a welcomed fix for backing up VVOL backed VMs when using a proxy server. The symptoms occur when you backup a VM that is utilising VVOL storage and a proxy server with hotadd. The snapshot attempts to remove too soon before the HotAdded disk finishes its unbind process. When this occurs the VM can freeze anywhere from a number of seconds up to 80+ seconds.  These issues were not present when the backup proxy was on the same host as the VM that was backing up. The workaround prior to this release was to run in NBD mode which uses the host as a proxy and is a slower method.

So, what am I looking for? The most obvious symptom is when your VM freezes and can not perform any actions, however performance graphs, etc all should a healthy VM. The other is in your VM log file, you will find a line similar to below. this is a standard line in your log, the difference is the the length of time the process runs for.  In this sample: 56 seconds

Checkpoint_Unstun: vm stopped for 56223314 us

In Veeam B&R 9.5U3, you can now add a registry value to set a wait time to allow the unbind from the proxy to complete before the snapshot is removed. to do this, open up your Veeam B&R server -> Open RegEdit -> navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\

Using decimal set your wait time (value) in seconds for how long you require.

Once added, you can restart your server\services for the settings to take affect. After testing overnight with a few Backup jobs, I re-enabled all jobs to run through proxies and  have not seen any issues yet.

## PowerCLI migrate vSwitch port groups to vDS in a different vCenter

Over the 6 months I have been working hard on designing and implementing our latest infrastructure refresh and migration to another datacenter. This was a big task, especially when we had to migrate customer servers with minimal downtime. However, there were many more challenges we faced, however with the right planning in the design, these were fairly well handled.

One of the challenges was that we were using Standard vSwitches in the old 5.5/5.1 environment due to some 3rd party applications back when the environment was 4.1 which caused issues when using a vDS.
As we were building a new vCenter we decided the best method was to automate adding all the VM port groups along with their VLANs and LAG into the DvSwitch.
One thing I’ve learnt from Alan Renouf is “The best script you will ever write is one that you stole from somebody’s website” which doesn’t mean  steal it and claim it as your own, but if someone has a script that does exactly what you need, then use it, just make sure you give credit where credit is due.
It just so happened by luck that right around the time I was starting to think about the process, I saw a twitter post from Ben Liebowitz “PowerCLI Script to create a new vDS Portgroups” – Beauty, this was exactly what I was after (albeit some small changes to suit).

The next step was to get a script to match to do the initial export to CSV, after a quick google I came across a Luc Dekens script that he had written for someones request on the VMware Community Forums.  It was pretty straight forward and only require some lines removed so that the CSV only had the columns required for the import.  So once I had the scripts, it was down to testing the process on how to use them prior to prod.

1. Edit the Export vSwitch Configuration script from Luc Dekens
2. Run the script
3. Open the CSV (Make sure the columns names line up with the import script)
**As we are exporting from a vSwitch and importing to vDS, we will need to manually add a new column to the exported CSV called numports and place the correct number of ports in each row (by default 8) .
**Also remove any multiples of portgroups (e.g. if you have multiple hosts with the same Portgroups as these will be also in the csv)
4. Edit the Import script from Ben Liebowitz
– Change the vDS name and LAG name to match your environment.
– Update to the CSV path
5. Run the import script.
6. Confirm the ports have imported by looking at the vDS.

The process is simple, so let’s break this down into some of the areas you can edit .

In the export script, all you need to edit is the lines that control what information is exported to the CSV. Just remove the lines you do not require. for example I do not need the IP address, so I would remove the below line.

@{N="IP";E={if($vNicTab.ContainsKey($pg.Name)){$vNicTab[$pg.Name].Spec.Ip.IpAddress}}}

The csv will export to the directory you have set in PowerCLI when running the script. Below is what the csv will turn out like, however note that I have also added the numports in as well.

ESX,pgName,vlanID,numports
HyperVisor-Hostname,PortGroup_1,3005,8
HyperVisor-Hostname,Portgroup_2,3005,8
HyperVisor-Hostname,Portgroup_13,3007,8
HyperVisor-Hostname,Portgroup_34,3007,8

etc.

Now for the Import.
In the import script, make sure that you change the name of the vDS, ActiveUplink and the location of the CSV – So he following lines.

# Set the VDS Name to variable
$vds = "dvSwitch" # Import the CSV of VLAN IDs, Portgroups, and # of ports$vdsPortgroup = Import-Csv \path\to\New_Portgroups.csv
get-vdswitch $vdsname | Get-VDPortgroup$portgroup.pgName | Get-VDUplinkTeamingPolicy | Set-VDUplinkTeamingPolicy -UnusedUplinkPort dvUplink1, dvUplink2, dvUplink3, dvUplink4

get-vdswitch $vdsname | Get-VDPortgroup$portgroup.pgName | Get-VDUplinkTeamingPolicy | Set-VDUplinkTeamingPolicy -ActiveUplinkPort LAG


That’s it. Very straight forward set of scripts to run. I prefer to run these individually as there is the step in the middle with the csv file. Aside from that I would like to thank both Ben Liebowitz and Luc Dekens for their community support for sharing their scripts.

## Install and Configure NSX Manager

I’m starting to become a bit of a fan of VMware NSX and getting excited with all the new features that came out of VMworld 2017. I recently rebuilt my lab and one of the parts I need to install is, you guessed it, NSX. So I figured I would write a series of basic “Getting Started” guides.  To start with, we will go through installing the NSX Manager, the brain of the solution. Now for the install, I just attached the NSX Manager Appliance to a vSwitch for the moment, but you will need to ensure that you have a Distributed Virtual Switch configured to utilise NSX as it is a required component. I will be installing NSX Manager 6.3.3 (The latest as of this post)

NSX is more than just networking, it is also part of the endpoint services that was previously vShield in the vCloud Networking and Security Suite (vCNS). Implementing NSX allows you to extend the feature set taking you to the next level of virtual networking.

I will be going over the install and configuration of some of the other components in the next few posts following this one.

Installing NSX Manager:

Once downloaded, ensure the Client Integration tools are installed and then open up the VMware Webclient. (For Client Integration Tools SSL FireFox issue  see this post)

Right click cluster and select “Deploy OVF Template” à Navigate to the NSX Manager OVF file à Accept the configuration

Accept the EULA

Input details for configuration

– IPv4/IPv6 details
– DNS
– NTP
– SSH
– VMware Customer Experience Improvement Program

Accept all and deploy

Once deployed. Open up a web browser and navigate to the IP/hostname that you set for your NSX Manager.

Navigate to “General” and edit the time settings à set your timezone à Save and log off and back on again for settings to take affect

Navigate down to “NSX Management Service” àSelect Edit on “Lookup Service URL:” and enter your PSC FQDN. (Enter vCenter if using embedded PSC) Enter SSO username and password and click OK

Select edit on “vCenter Server” and enter your vCenter server address followed by vCenter Service account or SSO.

Once all lights are green, log off and log into vCenter with the account used to attached NSX to vCenter.

If you log in as another accout, you will not be able to see the Network and Security tab as you will not have been granted permission to it. (Note that my SSO is vSphere.local for this lab)

Log in as the account that You will see the Networking and Security section available in the Action menu, Home screen and the left hand Navigation menu. Select Network and Security -> click on NSX Managers -> select NSX Manager you wish to adjust -> Manage -> Users.

Click the green Plus sign -> Choose either to add a group or individual user (Suggest making an NSX Group to make control easier) -> Select the Level of Access and click OK.

Log off and log in as the user you jut granted permission to.  (Note that I am using readysetvirtual.local for my lab domain and standard user)

## VMware Client Integration – FireFox SSL Popup

I’ve been having this issue for a little while now, I hadn’t found any successful posts on how to allow the VMware Client integration plug-in to run on FireFox. This occur in my last lab environment and my current.  Unfortunately, without this integration tool, OVF deployments and various other functions are unavailable in the WebClient.

Error Msg: “The VMware Client Integration Plugin has updated its SSL Certificate in FireFox.”

Since Firefox ver. 52, plugins have been disabled by default and started to behave differently. We found this out the hardware when some of our customers were starting to open their SaaS Citrix environment with HTML5 instead of the thick client.

To fix this, I found a KB article that outlines the solution. (KBA 2112076)

As you can see, the integration tool is currently installed and in Firefox 56 the message is displaying after log on to the WebClient.

Go ahead and uninstall the Integration Tool as you will need to reinstall it again.

Once installed, reinstall the VMware Client Integration Plug-in and launch FireFox. The Plugin should then popup once you access your venter WebClient login page. -> Select “Remember my choice for vmware-csd links” and click “Open Link”

Head over to a host and attempt an OVF deployment.  A second pop will request for Access Control -> select “Allow” and untick “Always ask before allowing this site” (Unless security reasons)

You should now not see any error messages when you attempt an OVF deployment.

## vSphere 6.5 Host Resources Deep Dive – First thoughts

I decided that I would read from the very first page and go through the book, just in the foreword by @KitColbert, VP & CTO of Cloud Platform Business Unit @ VMware, my mind was going places I hadn’t placed it before. Kit talks about how something as simple as typing a linux command and what occurs before the result can be a discussion that can last for hours. In the 4 and a half pages for the foreword, Kit breaks this down and for me, that got me thinking in a whole new light of detail that I would not usually have gone to. This has set me up to accept the challenge of the level of detail that has gone into this book.

I am only a few pages in, but I know for sure that this is going to be a ride worth taking and opening up for the level of detail that will be exposed.

I look forward to reading the rest of this great book and hope you may get the chance too!

## Guest Introspection Service – NSX

Continuing on from my last post, I thought I would get in and talk about the Guest Introspection service before I roll back and redeploy my NSX lab.

In prior versions to vSphere 6.x, part of the VMware vCloud Networking and Security (vCNS) was vShield Endpoint that was installed onto each host to allow for agentless security products to interact with virtual machines through VMTools. This was a two component setup, you would first have the vShield Manager that was connected to your vCenter which then added an installation option on each host for vShield Endpoint. Once vShield Endpoint was installed and vShield Driver (Part of VMTools install), your antivirus/anti-malware software could then protect inside your virtual machines that have been set up.

Fast forward to vSphere 6.x and the release of NSX taking over the networking and security side of things for vSphere environments. vShield was partially removed in vSphere 6.0, but completely removed by vSphere 6.5. Replacing vShield is now the NSX Guest Introspection Service (GIS) that still gets deployed to each host, but the difference is instead of having a separate vShield manager, it is included with the NSX Manager.
The GIS is free (Depending on vCloud licensing you may need to double check with your reseller) with the default licensing that comes with NSX Manager. There is a default key that is automatically deployed with NSX Manager giving you this access.

Pre-requisites:
IP Pool (If you do not have one configured, then you can set up during GIS deployment)

1. Open up your Network and Security Tab –> Click on Installation –> Select Service Deployments.
2. Click on the + sign –> Select Guest Introspection –> Choose when you want to deploy Now or Schedule –> click next.
3. Select your Datacenter and cluster you want to install your Guest Introspection to –>  click next
4. Choose your storage device and network you want to –> Decide to use DHCP or IP Pool, click Change –> Select IP Pool and Click the + sign to create the Pool.

5. Confirm and click Finish.

The process will run through and migrate VMs between hosts if required. Once installed, your security software should detect the hosts and their current state and either require install a filter driver to the hosts and then the appliance (Third party components may vary between vendors).

This is a very straight forward service setup, but very powerful for the service it provides to your environment.

Thank you for reading. Please let a comment if you would like to.