VMs are reported as managed by Site Recovery Manager

Today I worked with a customer who have vms reported with SRM icon and as power ON state (icon srm on), this appear after he tried to edit the VMs setting for any active VMs in the Primary site and that is part of the Recovery Plan.

The customer environment was pretty straight forward, storage base replication with a Compellent, multiple PG and RP.

When we tried to edit the configuration also we got the following message:

Solution Site Recovery Manager manages the selected virtual machine. You should not modify the virtual machine directly. Use the management console of the solution to make changes. Proceed with the operation?

Edit VM Setting alert

Well this may be a spected behavior if he is trying to make change to vms on the DR site, but this was not the case.

In the review we found on the vmware site the article 2032366 with point to the related/same error https://kb.vmware.com/s/article/2032366

Here are my lesson learned trying to apply this article:

You must apply all the 2 step to fix the issue, if you only apply just the first one using the PowerCli you will get the same error at the next time  you tried to edit any VMs settings that may have mismatch of configuration.

If you have already run the clean script and you tried to run it again you will get a not signed error and will not run, in this case I re-download the script (2032366_ManagedBy_power cli script.zip) and run it in other location, after this you will see the correct state on the vCenter interface, but you will need to continue with the database manual clean up. (Remember to have a backup of the DataBase before any changes and stop the vcenter services)

Since this VMware KB was not updated, the Data base example used its for a SQL one and not for a vPostgress. Thanks to Sean Whitney post (http://www.virtually-limitless.com/vsphere-6-0/interacting-with-the-vpostgres-database-in-vsphere-6-0/) I was able to connect to the DataBase, now the next challenge was how…

So after couple of hour trying to run the database script we end of the following scripts respectively to the one on the article:

1. This script finds virtual manchie IDs whose manager_by_ext_key and manage_by_ext_type fields are not in sync between the VPX_VM and VPX_VM_CONFIG_INFO tables.


2. To obtain the number of affected virtual machines to cross-check against the output in step 3, run this query:

select COUNT(t1.ID) from VPX_VM t1 inner join VPX_VM_CONFIG_INFO t2 on t1.ID = t2.ID where t2.MANAGED_BY_EXT_KEY IS NULL and t1.MANAGED_BY_EXT_KEY IS NOT NULL;

3. To sync the two fields with VPX_VM_CONFIG_INFO, update the VPX_VM table using this script:


Restart the vcenter and wala! Everything is working and we were able to manage the solution with out the pop pop and changes vms setting without any cosmetic issue.

Hope this information its useful.


Ping to ESG Fail – NSX 6.2.x (Back to basic)

If you have problem to ping your ESG (and you are not hitting the bug for the version NSX 6.1.2) please be aware of the firewall rule inside the Edge services gateway.

By default if you didn’t configure your firewall in the deployment of the ESG, the firewall rule will have the following default setting:

  1. To permit any traffic form the vse (ESG) to any destination for any services
  2. And the default Rule that is Any to Any for Any services Denny

So, If you are working in a home lab and you want to receive ping answer, you could add a new firewall rule inside the ESG to accept ICMP traffic or just allow all traffic and services on the ESG initial configuration.

Attach Image with both options:

At the ESG deployment:

  • Check “Configure Firewall default policy”
  • Change the Default Traffic Policy from Deny to Accept

Note: This will allow all the traffic and depend on your environment this may result in a security bridge, since this will allow all type of traffic though the ESG


After the ESG deployment, using the Default firewall configuration on the ESG deployment.

  • On the ESG, select Manage > Firewall
  • Select the green plus sign to add a new firewall rule for the ESG, (rule must before the last rule, which is the default one to deny all traffic)
  • Configure Name, Source and Destination depend on your security needs and for services select ICMP Echo used for ping. 



NSX 6.2.3/6.2.4 new Vib and Service

After update from NSX 6.2.2 to 6.2.4 I found out that there is a new vibs deployed at the host preparation phase esx-vdpi and not only that, I see that there is a new services vShield-Protocol-Introspection.

Making some research  regarding the vib and the services,  my assumption is that at the vib and service are related; the esx-vdpi vib correspond to the script “/etc/init.d/vShield-Protocol-Introspection“,  the service and vib may be added to provide “Layer 7” / “App ID” visibility function in the NSX Manager but I guess is in tech preview and not available for production yet, that’s why we cannot find any official documentation for this yet; also found that this services was added in the NSX release 6.2.3 (but remember that version 6.2.3 is buggy and not available for download)

Attach an image before and after the update:


Hopefully we could get more information soon… 🙂

Key points from my point of view of the VMworld 2015

After assisting some break out session and make some research after the VMworld, here are some key points to be taken in consideration for this year until the next year VMworld announcement:

–          NSX is complement of other VMware products/feature (VMware is pushing for SDN)

  • Micro segmentation and advance of it (Per VM management without the need of multiple Firewall)
  • Stretch cluster with NSX, helping you to have a single L2 site

–          vRealize for solution management/health/sizing and scale

  • VMware is pushing everything to vRealize and most of the product can be managed by it, this is the director management on VMware scale view.
  • Some of the new features are automated workload placement and re-balancing in order to optimize performance, new reporting options and collection and usage statistics to improve performance.

–          vCenter Server Applaince (VCSA) 6u1 has several improvements such as:

  • The VAMI UI accessible using port 5480 and a PSC dedicated configuration UI.
  • vCenter Update Manager (VUM) fully supported in the Web Client.

Good blog with information on new PSC improvements:


–          Log Insight, is an old VMware product, but there is some improve on the reporting view with the integration with vRealize and VMware highly recommend this tool as the centralized logging tool.

–          VSAN 6.1 came up on with the announcement (need to update vCenter and vSphere host to version 6 update 1)

  • Stretch cluster support with the use of a witness appliance or witness host (custom esxi image is needed)
    •  Witness host need license if it is installed on a physical host, no license needed if is a nested host (host will have a blue color instead a regular gray color)
    • Witness host is used only for witness and should be used as part of the Pools of resource
    • Witness shouldn’t part of the vSAN cluster.
  • Also there is a need for leverage everything on L2, so it is recommended to have NSX solution
  • New licensing for vSAN 6.1 standard and enterprise (Hybrid and All Flash respectively in version 6.0)
  • Stretch cluster required vSAN enterprise license

Note: With the announcement of vSAN 6 last year, there were improvement on the file system type with the acquisition. There is a upgrade for the file system from vSAN 5.5 to vSAN 6.x.

Some good blog regarding vSAN 6.1 and stretch cluster:


vSAN 6.1 white paper:


This is summary for the VMware white paper of vSAN 6.1 with step by step view:


–          SRM 6.0 as a DR orchestrator

  • VMware advised used of vsphere replication and NSX
    • vSphere replication: the advance of using vsphere replication is to leverage all the replication from the Primary site to the DR site, without the need to be aware of the storage or different API for the differents vendors
    • NSX: for the migration of the Primary site to DR site without the need to changes IP Address, since the Logical Switch and DLR across both side will manage mac address table and Routing, making the migration more seamless for the end user.

–          Evo Rails: something that was mention on previous year VMworld is the Evo Rail and the evolution to a EvoRack , VMware is working on racks solution that could provide to the customers, with the easily and smooth deploy platform of EvoRail and with this get a full integration with NSX.