vCloud Networking and Security 5.1.1 Release Notes

vCloud Networking and Security 5.1.1 | 25 OCTOBER 2012 | Build 848085

What's in the Release Notes

The release notes cover the following topics:

What's New

You should upgrade to the vCloud Networking and Security 5.1.1 release if you come across any of these issues:

  • vShield Edge 5.1 runs into a disk full state approximately 14 days after the first vShield Edge appliance is deployed. For information on upgrading to the 5.1.1 release, see http://kb.vmware.com/kb/2034699.
  • Database migration for vShield App fails while upgrading from 5.0.1 to 5.1 due to OutOfMemory error.

System Requirements and Installation

For information about system requirements and installation instructions, see the vShield Installation and Upgrade Guide.

Known Issues

The following known issues have been discovered through rigorous testing and will help you understand some behavior you might encounter in this release.

The known issues are grouped as follows:

General Issues

vShield Manager not reachable after network interface is disconnected and reconnected
vShield Manager is not synched with vCenter Server after you disconnect and reconnect the vShield Manager vNic.
Workaround: Reboot vShield Manager.

vShield Administrator role is broken
vShield Administrator role cannot perform some operations on vShield Edge (create, configuration, upgrade).
Workaround: If you had implemented role delegation in 5.0 or 5.0.1 release with vShield Administrator role, elevate the privilege of those users to Enterprise Administrator role.

vShield components install status is lost for hosts when you unprepare cluster for VXLAN virtual wires
vShield components (vShield App, vShield Endpoint, vShield Data Security) install status is not shown correctly if VXLAN virtual wire unpreparation is not followed by a reboot.
Workaround: Reboot the host after unpreparing a cluster.

vmservice-vswitch not deleted during uninstallation
Uninstalling vShield components does not delete the vmservice-vswitch. If required, you can delete it manually.

Old flows are reported on reinstalling vShield App on the same host
When vShield App is reinstalled on the same host, flows for the virtual machines which were reported for the previous vshield App are also reported on the current vShield App.

vShield Manager Issues

Configuring vShield Manager with a vCenter Server takes too long
After configuring vShield Manager with a vCenter Server, the UI does not refresh.
Workaround: Reload the page.

vShield Endpoint Issues

Incorrect Health Status for SVMs
When the last protected guest VM on a host is powered off and there are no remaining connections to an SVM, the status of the SVM is unknown. However, the vShield Endpoint Health and Alarms page erroneously reports the status of the SVM as either green or red.

vShield Endpoint health monitoring and vShield Data security do not function properly when there are multiple virtual machines with the same UUID
When there are multiple virtual machines with the same UUID, vShield Endpoint reports only one virtual machine as protected and vShield Data security violations may be reported on the wrong object..
Workaround: When you copy a VM, make sure to always indicate that you copied the VM so that a new UUID is generated. In addition, power cycle the VM once (no soft reboot) after the copy.

vShield App Issues

vShield App install fails in a scenario where one of the hosts is not the part of dvSwitch
vShield service virtual machines install can fail in certain scenarios. Consider a scenario where there are two DRS-enabled clusters in a datacenter and each cluster has two hosts. You create a dvSwitch and add one host from each cluster into the dvSwitch successfully. Now if you deploy a new virtual machine or install vShield Edge with its vnic in the port group of the above created dvSwitch, the virtual machine is not created and the OVF file is not imported.
Workaround: If DRS is enabled, you must add at least two hosts from the same cluster in a dvSwitch.

vShield Edge Issues

vShield Edge statistics are reset if vShield Edge is redeployed or converted to compact, large or x-large.
vShield Edge statistics are reset to zero if you redeploy vShield Edge or change the vShield Edge appliance size or configuration. Also, statistics may be incorrect if any of the virtual machines are down when vShield Edge is in HA mode.

Windows 7 64-bit computers not accessible after full tunnel logout
In full tunnel mode, default gateway changes so that all traffic is sent over the VPN tunnel. When you log out from the SSL VPN client, the default gateway is not restored back to original for Windows Vista & above computers.
Workaround: Disable and enable the network adapter.

Unable to delete org vdc network due to vShield Manager response error
You cannot delete a resource pool if vShield Edge is installed on it.
Workaround: Edit the appliance configuration to reflect new resource pool before deleting the resource pool.

vShield VXLAN Virtual Wire Issues

Cluster preparation fails if any host outside the cluster connected to same vDS is out of sync or not responding
During VXLAN virtual wire preparation, the vDS MTU configuration is set as part of the switch configuration (Prepare Infrastructure for VXLAN networking dialog box). If hosts are disconnected from the vDS, configuring the MTU value returns a failure from vCenter Server as the subset of hosts added to the DVS are unreachable when disconnected. This stops the remainder of VXLAN preparation.
Workaround: Reconnect all VXLAN hosts and prepare the cluster again.

VXLAN virtual wire VIB uninstall or upgrade requires host reboot
When deployed from vShield Manager, the uninstall and upgrade cases are displayed in the ESX Agent Manager agency status and in the vShield Manager UI.
Workaround: Rebooting the host allows proceeding with the uninstall or upgrade of the VXLAN module.

VXLAN virtual wire preparation and service insertion deployment requires valid vCenter managed IP and FQDN
Workaround: Set valid vCenter managed IP address and ensure that FQDN is either resolvable or unset. vCenter managed IP address is in vCenter Server Settings > Runtime Settings. FQDN is visible through vCenter Server Settings > Advanced Settings > FQDN.

Cannot specify multiple VXLAN multicast address ranges while preparing your network for VXLAN virtual wires
Workaround: Specify multiple multicast address ranges using a REST call.

vShield Data Security Issues

vShield Data Security appliance becomes unreachable if backup restore is done on vShield Manager which is already connected to vCenter Server
Workaround: Restore the backup on a freshly deployed vShield Manager which is not connected to the vCenter Server.

Data security scan should not start until at least one regulation is added
If a new Data Security scan is started without choosing any regulations, the scan runs but no violations are detected.
Workaround: Add at least one regulation before running a data security scan.

State specific policies match US driver licenses from all states
If one of the US state policies is enabled in vShield Data Security, files containing driver's licences from other states may be incorrectly identified as violating files.

Incorrect Health Status for SVM during installation
When the vShield Data Security SVM is being deployed by the vShield Manager, an alarm may be prematurely triggered for the SVM. The alarm is removed once the SVM is up and running.

Resolved Issues

The following issues have been resolved in the 5.1 release.

  • Restoring the backup of vShield Manager 5.1.1 fails intermittently
  • vShield Manager services are shut down during the restore and vShield Manager is rebooted after the restore.

  • vShield Edge appliance runs out of its disk space after running approximately for two weeks
  • Database migration failed while upgrading from 5.0.1 to 5.1 due to OutOfMemory
  • To resolve this issue, you must revert to older vShield Manager and then upgrade to 5.1.1 instead of 5.1.