Home > Veeam B&R, VMware, vSphere > HOWTO: Fix Veeam v8.0 NFC errors with vSphere v6.0U1 using SSLv3

HOWTO: Fix Veeam v8.0 NFC errors with vSphere v6.0U1 using SSLv3

Recently updated vSphere to v6.0U1 from v6.0?  Using Veeam Backup & Recovery v8.0.0.2030?  Getting NFC storage issues like those below?

clip_image002

Specifically:         ERR |SSL error, code: [336151568].error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

You can find out more about this on the Veeam Forums at: http://forums.veeam.com/vmware-vsphere-f24/vsphere-6-0-u1-t30210.html

The high level explanation is that Veeam is using both TLS and SSLv3 components to connect to VMware – and VMware has disabled the SSL method in v6.0U1.  There is a bug in how Veeam is auto-detecting SSL or TLS connectivity, causing this issue.  Other VMware products are having similar issues talking to their own products, from what I understand.

Veeam has a KB2063 on the issue here: http://www.veeam.com/kb2063   You have two options – call in and request a private out of band hotfix from Veeam, or make changes on the VMware side. 

The VMware KB20121021 discusses how you can make these changes:  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2121021

The high level gist is:

· Add "enableSSLv3: true" to /etc/sfcb/sfcb.cfg and then: /etc/init.d/sfcbd-watchdog restart

· Add "vmauthd.ssl.noSSLv3 = false" to /etc/vmware/config and then: /etc/init.d/rhttpproxy restart

I’ve whipped up a quick BASH script that seems to work in my testing.  It will:

· see if the desired option exists and exits

· if the options exists, but is the opposite setting (true vs false, etc) it will flip the setting

· if the option does not exist, it will add it

TEST IT BEFORE YOU RUN IT IN YOUR ENVIRONMENT, I’m not responsible if it does wonky things to you. 

Applying the changes does NOT require Maintenance Mode on the hosts, or any Veeam service restarting.  You can simply “retry” the job on the Veeam server, and “It Just Works”

This will likely be resolved by end of September when Veeam releases the next update to Veeam B&R – or there may be a vSphere v6.0U1a released.  Once the Veeam fix is released, it may be prudent to reverse or disable these changes on your hosts so you can use TLS vs SSL.

==== BEGIN VeeamNFCFix.sh =====

#

# Actions recommendations in http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2121021

#

#

# Look for "enableSSLv3: true" in /etc/sfcb/sfcb.cfg

#

cp /etc/sfcb/sfcb.cfg /etc/sfcb/sfcb.cfg.old

if grep -q -i "enableSSLv3: true" /etc/sfcb/sfcb.cfg; then

echo "true found – exiting"

else

if grep -q -i "enableSSLv3: false" /etc/sfcb/sfcb.cfg; then

  echo "false found – modifying"

  sed -i ‘s/enableSSLv3: false/enableSSLv3: true/g’ /etc/sfcb/sfcb.cfg

else

  echo "false not found – adding true"

  grep -i "enableSSLv3: true" /etc/sfcb/sfcb.cfg || echo "enableSSLv3: true" >> /etc/sfcb/sfcb.cfg

fi

fi

/etc/init.d/sfcbd-watchdog restart

#

# Look for "vmauthd.ssl.noSSLv3 = false" in /etc/vmware/config

#

cp /etc/vmware/config /etc/vmware/config.old

if grep -q -i "vmauthd.ssl.noSSLv3 = false" /etc/vmware/config; then

echo "false found – exiting"

else

if grep -q -i "vmauthd.ssl.noSSLv3 = true" /etc/vmware/config; then

  echo "true found – modifying"

  sed -i ‘s/vmauthd.ssl.noSSLv3 = true/vmauthd.ssl.noSSLv3 = false/g’ /etc/vmware/config

else

  echo "true not found – adding false"

  grep -i "vmauthd.ssl.noSSLv3 = false" /etc/vmware/config || echo "vmauthd.ssl.noSSLv3 = false" >> /etc/vmware/config

fi

fi

/etc/init.d/rhttpproxy restart

==== END VeeamNFCFix.sh =====

Advertisements
Categories: Veeam B&R, VMware, vSphere
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: