VMware vCenter 6.5 Credential validation was not successful: Timed out stalled task


#1

When I try to add my Vmware vCenter 6.5 server as provider I am getting

Credential validation was not successful: Timed out stalled task.

I already tried disabling firewall and selinux to permissive mode. Had firewall team open port between MIQ (gaprindashvili-5.20180830092341_55bf4ee) and vCenter still no luck. Any suggestion/help would be appreciated.

This is what I see on evm.log

INFO – : MIQ(MiqQueue.put) Message id: [83033], id: , Zone: [default], Role: [ems_operations], Server: , Ident: [generic], Target id: , Instance id: , Task id: , Command: [ManageIQ::Providers::Vmware::InfraManager.raw_connect?], Timeout: [600], Priority: [100], State: [ready], Deliver On: , Data: , Args: [{:pass=>“ “, :user=>“xyz@vsphere.local”, :ip=>“server1.xyz.com”, :task_id=>789}]
INFO – : MIQ(MiqGenericWorker::Runner#get_message_via_drb) Message id: [83033], MiqWorker id: [283], Zone: [default], Role: [ems_operations], Server: , Ident: [generic], Target id: , Instance id: , Task id: , Command: [ManageIQ::Providers::Vmware::InfraManager.raw_connect?], Timeout: [600], Priority: [100], State: [dequeue], Deliver On: , Data: , Args: [{:pass=>”
”, :user=>“xyz@vsphere.local”, :ip=>“server1.xyz.com”, :task_id=>789}], Dequeued in: [6.147905178] seconds


#2

@kaziislam

Anyway you can setup a small/test vcenter environment without firewall in between MIQ and vCenter ? Just to rule out firewall port issue.

So far my successful connection of vcenter 6.x/miq all without firewall in between.


#3

@tjyang yes that works. We are trying to add our second vCenter which is on different subnet.


#4

@kaziislam

Assume “2nd vCenter on a different subnet” means it is firewalled.

I remember I failed to get approval from my security team for connection of windows vsphere client to vcenter behind a firewall.

My current planning is to deploy another miq appliance as a standalone region into vmware farm behind firewall. And only request port 5432 opened to have it become remote and send in data into master region.


#5

@tjyang thanks much for your response. What are the ports do we need between vCenter/ESXi hosts to ManageIQ? I requested to open 80, 443, 903, 8443 to open between them. Do I need 5432 which shows appliance database per https://github.com/ManageIQ/manageiq_docs/blob/master/doc-Appliance_Hardening_Guide/topics/Firewall.adoc


#6

Yes this works. if you are able to open ports from firewalled workers to the DB just do a different zone not region as you will lose some functionality with a new region. also you will need to add the provider from a worker in that zone. For the initial connection it tries to connect from whatever UI worker you are on and you will get timeouts due to firewall. once the connection is setup you can use the normal UI (if outside the firewall)


#7

@kaziislam

From my past experience working with security(firewall) sysadmin, the most easy way is to have them enable no port restriction between src and dest and find out what ports are actually used from firewall GUI. Then from existing open ports and inbound/outbounds of the MIQ port connection, they should be able to render approval of this connection or not. Example of denied request is windows Active directory client and server connection.

Sorry, I haven’t have a need to connect the MIQ providers behind firewall yet.

Good luck.