ESXi Network Dump Collector in VMware vSphere 5.x/6.0 (1032051)
The VMware vSphere Network Dump Collector service allows for collecting diagnostic information from a host that experiences a critical fault and generates a purple diagnostic screen.
For more information on investigating the diagnostic information obtained, see Interpreting an ESX host purple diagnostic screen (1004250).
The VMware vSphere Network Dump Collector service enables a host to transmit diagnostic information via the network to a remote netdump service, which stores it on disk. Network-based coredump collection can be configured in addition to or instead of disk-based coredump collection. This may be useful in stateless environments with no local disk usable for a diagnostic partition.
The Dump Collector is available in two forms:
- vSphere ESXi Dump Collector service installed on Windows, possibly in the same location as vSphere vCenter Server.
- vSphere ESXi Dump Collector service pre-packaged with the vSphere vCenter Server Virtual Appliance.
When installed on Windows, the vSphere ESXi Dump Collector service can integrate with vCenter Server. The Dump Collector server's listening IP address and Port number will be listed in the Dump Collector vCenter Server plugin. This is not available in a standalone installation of vSphere Dump Collector on Windows or in the vCenter Server Virtual Appliance.
Host and Collector Configuration
The host and collector service must both be configured prior to an outage in order to collect information from that outage.
- Configuring the Network Dump Collector service in vSphere 5.0 (2002954)
- Configuring an ESXi 5.0 host to capture a VMkernel coredump from a purple diagnostic screen via the Network Dump Collector (2002955)
Security and Network Considerations
Network Dump Collector does not work if the Management vmkernel port has been configured to use Etherchannel/LACP.
netdumpprotocol is used for sending coredumps from a failed ESXi host to the Dump Collector service. This service only supports IPv4. By default, this service listens on UDP port 6500. The network traffic is not encrypted, and there is no authentication or authorization mechanism to ensure the integrity or validity of any data received by the Dump Collector service. It is recommended that the VMkernel network used for network coredump collection be physically or logically segmented (such as a separate LAN/VLAN) to ensure that the traffic is not intercepted.
vSphere ESXi 5.0
VLAN tagging may be utilized if configured at the physical switch port. The VLAN tagging options configured at the vSwitch level are ignored during network core dump transmission.
vSphere Distributed Switches (vDS) cannot be used for the VMkernel network interface used for network core dump transmission. For more information, see Network Dump Collector is not supported on vDS (2000781).
vSphere ESXi 5.1/5.5/6.0
The core dump transmission is tagged with the same VLAN configured for the selected interface. Standard vSwitches and Distributed vSwitches can be used for core dump transmissions. Teamed NICs can be used for core dump transmissions.
Operation and Troubleshooting
During a critical failure on a vSphere ESXi host, the host generates a purple diagnostic screen and attempts to write a coredump using either or both of the pre-configured DiskDump or NetDump mechanisms. If previously configured to NetDump to a Dump Collector, the host opens a connection from a VMkernel network to the remote IP on UDP port 6500, and transmits a compressed coredump
The Dump Collector service receives the coredump and saves it to a file on its own disk in the
zdump format. Files are organized into directories according to the sending host's IP address, such as
data/10/11/12/13/zdump_10.11.12.13- yyyy-mm-dd-hh_mm-N. This information can be later investigated. For more information, see Interpreting an ESX host purple diagnostic screen (1004250).
By default, 2 GB of
zdump diagnostic information is stored, with older dump files automatically deleted. The Dump Collector service has a non-configurable 60-second timeout: if no information is received in 60 seconds, the partial file is deleted.
If the ESXi host is unable to reach the Dump Collector server during an outage, see Troubleshooting the Network Dump Collector service in vSphere 5.0 (2003042).
Logging and Increased Verbosity
The Dump Collector service logs information to disk during startup and while receiving coredumps over the network. The date and timestamps in the Dump Collector logs and received
zdump filenames reflect the time that on the server running the Dump Collector, not the time on the ESXi host which supplied the coredump. For more information, see Location of vSphere ESXi Dump Collector log files (2003277). To increase the verbosity of the Dump Collector service logs, see Configuring the Network Dump Collector service in vSphere 5.0 (2002954).