Search the VMware Knowledge Base (KB)
View by Article ID

Connecting to a resource using the Remote Console (VMRC) option in VMware vRealize Automation 6.2.1 fails with the error: Cannot establish a remote console connection (2114235)

  • 8 Ratings

Symptoms

When connecting to a resource using the Remote Console (VMRC) option in vRealize Automation, you may experience these symptoms:
  • Cannot connect to a resource using the Remove Console (VMRC) in VMware vRealize Automation.
  • Connecting to a resource using VMRC in VMware vRealize Automation fails
  • You see a blank screen.
  • You see the error:

    Cannot establish a remote console connection , verify that the machine is powered on if the server has self-signed certificate, you might need to accept certificate, then close and retry the connection.

Purpose

This article will provide details on how the VMRC brokering works through vRA including required prerequisites and troubleshooting tips for identifying and resolving problems.

Resolution

Prerequisites for successful VMRC connections:
  • Network traffic must be allowed between vRealize Automation appliance(s) and the ESXi server over port 902.
  • Network traffic must be allowed between vRealize Automation appliance(s) and the client browser over port 8444.
  • Certificate trust between the client browser and the vRealize Automation appliance(s).
  • Certificate trust between vRealize Automation appliance(s) and the ESXi server must be established or you will see SSL handshake failures in the catalina.out (after increasing the console-proxy logging level).
  • Client browser must have WebSockets support enabled (this is usually on by default)
  • Servers must be resolvable by name between vRealize Automation and ESXi.
  • If using vCD, the VMRC plugin must be installed and allowed in the client browser.

How VMRC communication works (in relation to vRealize Automation):
  • When you choose Connect to Remote Console from the browser, a new window or tab will come up with a session initiated between your browser and port 8444 on the vRealize Automation appliance your session is running on.  If you choose Connect using VMRC, vRealize Automation will attempt to use the installable VMRC client instead of a proxied window.
  • vRealize Automation then initiates a TCP secure (SSL trusted) handshake to the ESXi host that the VM resides on using port 902.  
  • Once the handshake is accepted, a session is established between a random port on vRealize Automation and port 902 on the ESXi host.  
  • The session is then presented to the browser through the new window or browser over port 8444.
How it works from the vCenter thick client (briefly):
  • When you open a console, the 902 session is established directly between your client and ESXi.
How it works from the vSphere web client (briefly):
  • When you open a console, the 902 session is established between the vCenter Web Client server and ESXi and the session is brokered to your browser similiarly to vRealize Automation.


Troubleshooting Methodology:
  • You will first need to identify if the problem is occurring in vRealize Automation, vCenter, or a specific ESXi host by testing VMRC connections to various vCenters and hosts.  
  • Then you will want to confirm prerequisites using ping, netstat, curl, and checking browser settings, etc.
Troubleshooting VMRC issues in vRealize Automation:
Increase logging for the console proxy service temporarily for testing:
  1. SSH into the vRealize Automation appliance(s) and edit the file: /usr/lib/vcac/server/webapps/console-proxy-service/WEB-INF/classes/log4j2.xml
  2. Add the following line to the top of the <Loggers> section: <Logger name="com.vmware.consoleproxy" level="all" includeLocation="true"/>
  3. Be sure to remove this line after testing (or change the level to "info" to avoid filling up your vRealize Automation logs)
  4. Monitor the console proxy logs by then running the command: tail -f /var/log/vcac/catalina.out | grep "console-proxy"
Network troubleshooting:
  1. SSH into the vRealize Automation appliance(s) and confirm that you can:
    • Ping the ESXi hosts by name.
    • Connect to port 902 on the ESXi host by using the command 'curl -vvv telnet://IP of ESXi:902'.  You can also use 'nc6 IP of ESXi 902'
    • Look for open 902 sessions on vRealize Automation by running the command 'netstat -anp | grep 902'
  2. SSH into the ESXi server and confirm that you can:
    • Ping the vRealize Automation hosts by name.
    • Look for open 902 sessions on the ESXi server by running the command 'esxcli network ip connection list'
Certificate troubleshooting:
  1. Navigate to the ESXi host certificate by navigating to https://FQDN-orIP-ofHOST.  
  2. Review certificate details to confirm validity and that the certificate would be trusted by the vRealize Automation appliance(s).  If the certificate was issued by vCenter (default behavior), copy the SSL thumbprint.
  3. Compare the host certificate thumbprint to the VPX_HOST table EXPECTED_SSL_THUMBPRINT and HOST_SSL_THUMBPRINT to verify that the certificate matches.  If it does not, then the problem may be that the host certificate has been updated and is not secure when vRA attempts to make the handshake.

Note: If multiple DNS entries exists for ESXi in DNS settings, add all host FQDN in /etc/hosts file.


Additional Information

To  be alerted when this article is updated, click Subscribe to Document in the Actions box.
 
To enable support for SSLv3 in ESXi 6.x, refer to the KB 2121021

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 8 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 8 Ratings
Actions
KB: