Monitoring and reporting for Veeam Backup & Replication, VMware vSphere and Microsoft Hyper-V in a single System Center Operations Manager Console
Post Reply
vrm
Enthusiast
Posts: 34
Liked: 1 time
Joined: Feb 18, 2010 7:51 am
Full Name: Vincent
Contact:

RunAs Direct ESXi Connection

Post by vrm »

We are currently working with Veeam Support on an issue that we have in MP for Vmware 6.5. The issue is related to the direct ESXi connection when vCenter isn't available. So far we have checked the RunAs Profile and account and it seems they are correct configured. When we power down the vCenter the Direct ESXi connection should take over the ESXi monitoring after 5 intervals(25 minutes). What we see is the following warning:

Veeam VMware Collector: vCenter connection failover errors and warnings
Error: Cannot open connection. Reason: User 'NT AUTHORITY\SYSTEM' is not allowed to access the Veeam Virtualization Extensions.


When the warning appears we see in Operations Manager eventlog error event 995:
vCenterFailover.ps1 : Error: Cannot open connection. Reason: User 'NT AUTHORITY\SYSTEM' is not allowed to access the Veeam Virtualization Extensions.

We want to run the Powershell script "vCenterFailover.ps1" manual but we can't find the script. Does anyone knows where we can find this script or have a solution for this issue? :D

Cheers
sergey.g
Veteran
Posts: 452
Liked: 76 times
Joined: May 02, 2012 1:49 pm
Full Name: Sergey Goncharenko
Contact:

Re: RunAs Direct ESXi Connection

Post by sergey.g »

Hi Vincent,

First of all I want to apologize that vCenter failover feature requires so many configuration steps, but there is no other way of creating such a complicated recovery action scenario without making sure SCOM has all necessary permissions for configured RunAs accounts.

This is a known issue and we have it documented in multiple places, in documentation (Release Notes) and in the Product Knowledge:
Causes
If the default action account for the Ops Mgr agent on the Veeam Virtualization Extensions Service machine does not have access to the Veeam VEShell (PowerShell interface), you may see error messages such as:

• '[User ID]' account unable to access the Veeam Virtualization Extensions Service.

This error could occur for any agent action account that cannot access Veeam VEShell, including LocalSystem.

Resolutions
To fix the permissions issue detailed in Causes above, the account specified as default Action Account should be added to the 'Veeam Virtualization Extensions for VMware Users' local group on the server running the Veeam Virtualization Extensions Service. Alternatively, if LocalSystem is the Action Account, and adding LocalSystem to the group is not desired, then change the agent Action Account to be a domain user account, and add this account to the local group. Note that this account should also be an Administrator of the local server.

Once Action Account is in the group - the script for vCenter connection failover should work properly.

Feel free to ask other questions regarding this new vCenter connection failover functionality.
I would also highly appreciate if you can provide us with your support ticket ID.
Thanks.
vrm
Enthusiast
Posts: 34
Liked: 1 time
Joined: Feb 18, 2010 7:51 am
Full Name: Vincent
Contact:

Re: RunAs Direct ESXi Connection

Post by vrm »

Hello Sergey,

We tried allready the resolutions you described and it did't solved the issue. Is it possible that the script vCenterFailover.ps1 is missing? We can't find it. We searched on the VES and Collector servers?

Cheers!
sergey.g
Veteran
Posts: 452
Liked: 76 times
Joined: May 02, 2012 1:49 pm
Full Name: Sergey Goncharenko
Contact:

Re: RunAs Direct ESXi Connection

Post by sergey.g »

Hello Vincent,

Thank you very much for providing me with the ticket number, I would recommend you to work with our tech support guys to finally fix the issue. We already discussed the situation and we think that this issue is still with configuring correct permissions for action account of the agent computer on which extensions service is running.

The issue is not with the script, because in the alert text you can clearly see that the issue is coming from the script which means it exists and it is running and just experiencing issues accessing the extensions service.

As far as I know you cannot find directly a script on the agent, they store it with ID as a name or something similar.

I'm sure that our support team should be able to fix the issue quickly, I will continue to monitor the ticket to provide them with instructions if necessary.

I really appreciate your patience, we will do our best to simplify and improve configuration of vCenter failover functionality.

Thanks.
vrm
Enthusiast
Posts: 34
Liked: 1 time
Joined: Feb 18, 2010 7:51 am
Full Name: Vincent
Contact:

Re: RunAs Direct ESXi Connection

Post by vrm »

What is the event number if the direct connection failover is successful(when vCenter failed)? And is there an alert rule or monitor where we can see if the failover is successful?
sergey.g
Veteran
Posts: 452
Liked: 76 times
Joined: May 02, 2012 1:49 pm
Full Name: Sergey Goncharenko
Contact:

Re: RunAs Direct ESXi Connection

Post by sergey.g »

Hello Vincent,

It is a really good question. There are multiple information events about collector connecting to ESX hosts, but they are not designed to trigger a rule or a monitor. If failover is successfull, first of all you should see it in the health explorer for the alert about failed vCenter connection, the monitor has a recovery action and in the State Change Events tab of Health Explorer you should see the failover script output, it should tell you that direct connections to hosts have been successfully created.

Also under Veeam for VMware > Veeam Collectors > VMware Connections, you should see direct to host connections in a green state and failed vCenter connection which should be still in the critical state..

We will think how we can improve indication about successfull failover in the next version.
We really appreciate your feedback.
Thanks.
vrm
Enthusiast
Posts: 34
Liked: 1 time
Joined: Feb 18, 2010 7:51 am
Full Name: Vincent
Contact:

Re: RunAs Direct ESXi Connection

Post by vrm »

Hello Sergey,

Issue solved with the help of Veeam Support!

Cheers!
sergey.g
Veteran
Posts: 452
Liked: 76 times
Joined: May 02, 2012 1:49 pm
Full Name: Sergey Goncharenko
Contact:

Re: RunAs Direct ESXi Connection

Post by sergey.g »

Hi Vincent,

Thank you very much for the update. I told you our tech support rocks :)
Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests