We have disabled TLS 1.0 on a VMware host (6.5 U1) after failing a security scan.
Now various sensors (Hardware Status, Host Performance, VM Status) fail with error "The underlying connection was closed: An unexpected error occurred on a send."
- Version is 17.4.35.3318 [Preview].
Currently the TLS 1.0 protocol is enabled on the PRTG server. If we disable this then the error becomes: "aborted could not create SSL/TLS secure channel", and the errors extend to a second VMware host that still has TLS 1.0 enabled.
Please advise how to have PRTG check a VMware host that has TLS 1.0 disabled.
Article Comments
Interesting. Does the error persist upon recreating the sensor? In case they don't work as well, please provide me with the output of reconfigureVc scan they reside in one of the following directories:
- Linux /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
- Windows C:\Program Files\VMware\CIS\vSphereTLSReconfigurator\VcTlsReconfigurator
Did you use this guide to configure TLS 1.2 accordingly?
Kind regards,
Stephan Linke, Tech Support Team
Nov, 2017 - Permalink
If I delete the VMware Host Hardware Status (SOAP) sensor and try to re-add it fails with "Could not create the sensor VMware Host Hardware Status (SOAP) on device ...".
root@GL2-VCA [ /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator ]# ./reconfigureVc scan vCenter Transport Layer Security reconfigurator, version=6.5.0, build=5597882 For more information refer to the following article: https://kb.vmware.com/kb/2147469 Log file: "/var/log/vmware/vSphere-TlsReconfigurator/VcTlsReconfigurator.log". ==================== Scanning vCenter Server TLS endpoints =====================
| Service Name | TLS Endpoint Port | TLS Version(s) |
|---|---|---|
| vmware-stsd | 7444 | TLSv1.1 TLSv1.2 |
| vmcam | NOT RUNNING | |
| vmware-rhttpproxy | 443 | TLSv1.1 TLSv1.2 |
| rsyslog | 1514 | TLSv1.1 TLSv1.2 |
| vmdird | 636 | TLSv1.1 TLSv1.2 |
| vmdird | 11712 | TLSv1.1 TLSv1.2 |
| vmware-rbd-watchdog | NOT RUNNING | |
| vmware-updatemgr | 8084 | TLSv1.1 TLSv1.2 |
| vmware-updatemgr | 9087 | TLSv1.1 TLSv1.2 |
| vsphere-client | 9443 | TLSv1.1 TLSv1.2 |
| vsphere-ui | 5443 | TLSv1.1 TLSv1.2 |
| vami-lighttp | 5480 | TLSv1.0 TLSv1.1 TLSv1.2 |
Yes that was the guide I used.
Note that the vCenter server is OK in PRTG, it is a host that has had TLS 1.0 disabled that we get the errors for.
Nov, 2017 - Permalink
Could you please try to replace C:\Program Files (x86)\PRTG Network Monitor\Sensor System\VMWareSensor.exe
with this one? Make sure to backup the existing one.
Let me know if it worked!
Kind regards,
Stephan Linke, Tech Support Team
Nov, 2017 - Permalink
Cool! Note that you need to replace it when updating PRTG until the sensor gets natively integrated :)
Kind regards,
Stephan Linke, Tech Support Team
Nov, 2017 - Permalink
Stephan,
Thanks for your solution. Saved us a lot of headache on a Friday afternoon. This works for our installation as well after disabling TLS 1.0 and TLS 1.1 for our vCenter instance.
Jan, 2018 - Permalink
Hi dosit,
What OS is the PRTG Server running on and are all updates and latest .NET installed?
Kind regards,
Stephan Linke, Tech Support Team
Nov, 2017 - Permalink