Hosts don't reconnect after VUM upgrade to build 3248547

Recently VMware disabled SSLv3 protocol in vCenter/ESXi 5.5u3b.

A sideffect of this is that, as noted in the interoperability matrix, vCenter 5.5u3b is needed to manage ESXi 5.5u3b hosts.

Trouble is: if you use VUM to update your hosts you usually end up in a situation where vCenter is upgraded much less often than the ESXi, and you may still be running vCenter < 5.5u3b when VUM pushes to you the patches that will bring ESXi to 5.5u3b.

If you upgrade the hosts with VUM, after the reboot:
- vCenter will not be able to reconnect them
- you will receive "vim.fault.NoHost" errors when trying to reconnect them manually
- you will be able to connect normally to the host by vSphere client
- you will find SSL errors in the vpxd.log log of vCenter, basically in the form of "SSL short read" faults.



Explanation:

The reason behind the error is given in the release notes:

The release notes point to the KB 2139396 that describes the steps needed to *REENABLE* the disabled protocols: this is obviously discuraged, but is an effective workaround to put the hosts back online in vCenter until the vCenter itself can be upgraded to 5.5u3b.


Workaround: *USE AT YOUR OWN RISK*

To "fix" the hosts you have to follow the steps in the KB that relates to the ESXi - *NOT* those that refer to the vCenter

Kb:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2139396

So (follow the more precise indications in the kb):
- enable SSH by the vSphere client on the disconnected hosts
- connect to the hosts with putty/ssh as root
- Follow the steps in the chapter "Hostd - Port 443" of the KB (edit config.xml and add the indicated options)
- Ignore the "HostProfile" part since it matters only if you use autodeploy or host templates
- Follow the steps in the chapter "Authd - Port 902" of the KB (esxcli with the indicated options, restart the watchdog)
- Ignore the "HostProfile" part since it matters only if you use autodeploy or host templates
- Follow the steps in the chapter "SFCBD - Port 5989" of the KB (edit sfcb.cfg and add the indicated options, restart the watchdog)
- Ignore the "HostProfile" part since it matters only if you use autodeploy or host templates

If vSAN is in use the chapters "Virtual SAN VP - Port 8080" and "Virtual SAN Observer - Port 8010" should also be followed, but I don't advice messing up with this configs on a vSAN enabled cluster!!!

*IN TEORY* this works fine, but I don't advice this workaround in production and in a supported environment, since your system will be *OUT OF THE INTEROPERABILITY MATRIX* and since you will re-expose your system to the poodle security vulnerability.

The best option is probably to leave the upgraded ESXi disconnected and upgrade vCenter to 5.5u3b.