WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / vSphere 7.0 / Heads Up - No healthy upstream error with VEBA vSphere UI plugin with vSphere 7.0 Update 3

Heads Up - No healthy upstream error with VEBA vSphere UI plugin with vSphere 7.0 Update 3

10.20.2021 by William Lam // Leave a Comment

After upgrading my homelab to vSphere 7.0 Update 3, I noticed that my VMware Event Broker Appliance (VEBA) vSphere UI Plugin which is included as part of the VEBA Appliance was no longer functioning properly and would display no healthy upstream error message.


I initially thought this might be environmental, since I had just upgraded from lab from vSphere 7.0 Update 2d to 7.0 Update 3. I had reported the issue to our vSphere UI Engineers who built the VEBA UI plugin and while they were looking into the issue, we had another report from a VEBA user who also was hitting the same issue. Today, I got an update from Engineering and it looks like there was a regression in the Envoy service running in the VCSA which had caused this issue. This issue will be fixed in a future patch update for the VCSA, but in the mean time, VEBA users can apply the workaround outlined below.

Note: This workaround is required for vSphere 7.0 Update 3 or later. The issue has been fixed in vSphere 8.0 but if you are running any version of 7.0 Update 3 or newer, you will still need to apply this workaround.

Step 1 - SSH to the VCSA Appliance and backup the original ProxyConfiguration.json file by running the following command:

cp /etc/vmware-rhttpproxy/endpoints.conf.d/ProxyConfiguration.json /etc/vmware-rhttpproxy/endpoints.conf.d/ProxyConfiguration.json.bak

Step 2 - We first need to unminify the proxy configuration file so that it is readable by a human since the JSON content is all compressed into a single line. Luckily, we have the jq utility on the VCSA and we will make a copy of that into a file called ProxyConfiguration-unminify.json by running the following command:

cat /etc/vmware-rhttpproxy/endpoints.conf.d/ProxyConfiguration.json | jq . > ProxyConfiguration-unminify.json

Step 3 - Open the file using VI Editor and search for the string "veba" and locate the section that looks like the following:

{
    "name": "remote-plugin-cluster-com.vmware.veba-0.2.0.0-1811688644-veba.primp-industries.local-443",
    "type": "STRICT_DNS",
    "connect_timeout": 120,
    "lb_policy": "VMWARE_FIFO",
    "endpoints": [{
        "socket_address": {
            "address": "veba.primp-industries.local",
            "port_value": 443
        }
    }],
    "tls_context": {
        "common_tls_context": {
            "tls_params": {
                "tls_minimum_protocol_version": "TLSv1_2",
                "tls_maximum_protocol_version": "TLSv1_2",
                "cipher_suites": "ECDHE+AESGCM:RSA+AESGCM:ECDHE+AES:RSA+AES",
                "ecdh_curves": "prime256v1:secp384r1:secp521r1"
            },
            "validation_context": {
                "verify_certificate_hash": [
                    "xx:xx:xx:xx"
                ]
            }
        }
    },
    "common_http_protocol_options": {
        "idle_timeout": 28800
    },
    "http_protocol_options": {
        "allow_absolute_url": true,
        "accept_http_10": true,
        "default_host_for_http_10": "localhost"
    }
}

We need to add an entry after the "tls_context" that contains the hostname of the VEBA appliance like the following:

,
"sni":"veba.primp-industries.local"

Here is what the final change should look like, please note there is a comma that is added before "sni" key

{
    "name": "remote-plugin-cluster-com.vmware.veba-0.2.0.0-1811688644-veba.primp-industries.local-443",
    "type": "STRICT_DNS",
    "connect_timeout": 120,
    "lb_policy": "VMWARE_FIFO",
    "endpoints": [
      {
        "socket_address": {
          "address": "veba.primp-industries.local",
          "port_value": 443
        }
      }
    ],
    "tls_context": {
      "common_tls_context": {
        "tls_params": {
          "tls_minimum_protocol_version": "TLSv1_2",
          "tls_maximum_protocol_version": "TLSv1_2",
          "cipher_suites": "ECDHE+AESGCM:RSA+AESGCM:ECDHE+AES:RSA+AES",
          "ecdh_curves": "prime256v1:secp384r1:secp521r1"
        },
        "validation_context": {
          "verify_certificate_hash": [
            "xx:xx:xx:xx"
          ]
        }
      },
      "sni":"veba.primp-industries.local"
}

Save your changes and exit the file.

Step 4 - We are now going to re-minify the JSON content and replace the original proxy configuration file by running the following command:

cat ProxyConfiguration-unminify.json | jq -c . > /etc/vmware-rhttpproxy/endpoints.conf.d/ProxyConfiguration.json

Step 5 - We now need to restart the following two services for the changes to go into effect:

vmon-cli -r rhttpproxy && vmon-cli -r envoy

Step 6 - Lastly, we need to SSH to VEBA Appliance and restart the VEBA UI pod by running the following command:

kubectl -n vmware-system delete pod $(kubectl -n vmware-system get pods | grep veba-ui | awk '{print $1}')

This will take a minute or so to restart and once the command prompt is returned, you can monitor the VEBA UI logs by running the following:

kubectl -n vmware-system logs $(kubectl -n vmware-system get pods | grep veba-ui | awk '{print $1}') -f

You should eventually see the following lines which indicates the VEBA UI plugin has successfully been deployed

2021-10-20 14:58:13.998 INFO 1 --- [ main] o.s.j.e.a.AnnotationMBeanExporter : Registering beans for JMX exposure on startup
2021-10-20 14:58:14.054 INFO 1 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path '/veba-ui'
2021-10-20 14:58:14.059 INFO 1 --- [ main] c.v.sample.remote.SpringBootApplication : Started SpringBootApplication in 18.852 seconds (JVM running for 19.62)

At this point, you can now login to your vSphere UI or refresh the UI if you have not already and you should now be able to access the VEBA UI plugin!

More from my site

  • New vCenter Events for vSphere 7.0 Update 3
  • VMware Event Broker Appliance (VEBA) v0.8.0
  • NSX Alarms in vCenter Server using vSphere Events in vSphere 8
  • Demo of VMware Cloud Consumption Interface (CCI)
  • Beta for VMware Cloud Consumption Interface (CCI) formally Project Cascade

Categories // vSphere 7.0, vSphere Web Client Tags // VMware Event Broker Appliance, vSphere 7.0 Update 3

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...