VMware Cloud Community
malammouri
Contributor
Contributor
‎05-29-2012 03:09 AM
Jump to solution

Trend Micro deep security virtual appliance and HA configuration

Hello Team,

One step of deplying Trend Micro deep security virtual appliance is to disable HA on cluster ... can you please explain what is the reason to disable it ?

If you do this step and try to enable HA again .. vCenter will give you error message that there's insufficient vSphere HA failover resources.

Thank you,

Mohammad

0 Kudos
1 Solution

Accepted Solutions
zXi_Gamer
Virtuoso
Virtuoso
‎05-29-2012 10:27 AM
Jump to solution

I am not asking to disable HA, I am suggesting that the vm power on settings is enabled by HA by default, so any new vm which does not match the HA requirements is not allowed to power on.

Right click on cluster> ClusterFeatures>vSphere HA> Check Disable :"Allow VM Power on operation that violate availability constraint.

Could this be a problem of vSphere ?

This could not be the problem of vSphere. But it is a feature in vSphere.

View solution in original post

0 Kudos
10 Replies
zXi_Gamer
Virtuoso
Virtuoso
‎05-29-2012 06:59 AM
Jump to solution

Hi Welcome to the forums.

One step of deplying Trend Micro deep security virtual appliance is to disable HA on cluster ... can you please explain what is the reason to disable it ?

I am not sure about the requirement of disabling HA. From what I have read in the dsva documentation:

"If you intend to take advantage of VMware High Availability (HA) capabilities, make sure that the HA environment is established before you begin installing Deep Security. All ESX servers used for recovery operations must be imported into the Deep Security Manager with their vCenter, they must be ―prepared‖, and a Deep Security Virtual Appliance must be installed on each one. This will ensure that Deep Security protection will remain in effect after a HA recovery operation."

If you do this step and try to enable HA again .. vCenter will give you error message that there's insufficient vSphere HA failover resources.

The above is a HA related setting that can be change. Right click on cluster> ClusterFeatures>vSphere HA> Check Disable :"Allow VM Power on operation that violate availability constraint:

0 Kudos
JonathanG
Enthusiast
Enthusiast
‎05-29-2012 08:49 AM
Jump to solution

You don't need to disable HA.

Install one Trend Micro appliance on each ESX/ESXi server.

Ensure that the Appliance does not migrate to another server (using DRS). So either disable vmotion for the appliance or install the appliance on local storage (not shared)

0 Kudos
malammouri
Contributor
Contributor
‎05-29-2012 09:43 AM
Jump to solution

Thanks for the reply guys. The problem is that once the first virtual appliances is deployed, the insufficient resources error message appear on every new virtual machine/appliance to be powered on ( unless we disable admission control for violating VMs) // disabling HA or DRS for these virtual appliances won't make any difference.

We also tried to deploy non-trend micro virtual appliance and got the same result.

Could this be a problem of vSphere ?

We are currently running vSphere 5 update 1.

Regards,

Sent from my BlackBerry® wireless device from STC

0 Kudos
zXi_Gamer
Virtuoso
Virtuoso
‎05-29-2012 10:27 AM
Jump to solution

I am not asking to disable HA, I am suggesting that the vm power on settings is enabled by HA by default, so any new vm which does not match the HA requirements is not allowed to power on.

Right click on cluster> ClusterFeatures>vSphere HA> Check Disable :"Allow VM Power on operation that violate availability constraint.

Could this be a problem of vSphere ?

This could not be the problem of vSphere. But it is a feature in vSphere.

0 Kudos
malammouri
Contributor
Contributor
‎05-29-2012 10:43 AM
Jump to solution

Hello zXi<http://communities.vmware.com/people/zXi_Gamer>,

I’m doing the same to get rid of this error message and I know this is a feature of vSphere. The questions is that why we are getting this error message although there’s enough resources for HA ( Two hosts up and running in a cluster ).

We have this problem only when we have virtual appliance deployed on one of the two hosts that we are using. When you power off this virtual appliance everything works just fine.

Regards,

0 Kudos
JonathanG
Enthusiast
Enthusiast
‎05-29-2012 11:45 AM
Jump to solution

how much memory/cpu is on each ESXi host?

you could reduce the memory allocated to TrendMicro but that would negatively impact performance

0 Kudos
malammouri
Contributor
Contributor
‎05-29-2012 11:53 AM
Jump to solution

32GB on each host. Appliances have 2GB of memory. Also if you reserve much less than this we have the same problem.

0 Kudos
JonathanG
Enthusiast
Enthusiast
‎05-29-2012 12:07 PM
Jump to solution

you may want to review resource pools or other allocations of memory/cpu allocations/reservations

0 Kudos
Henrique_Cicuto
Enthusiast
Enthusiast
‎06-22-2012 12:16 PM
Jump to solution

I think this "disable HA" recommendation may be related to each appliance being somewhat attached or something to a specifc host. If that´s the case I think it would be a nice test to disable HA restart for those specific appliances (Cluster Settings > VMware HA >  Virtual Machine Options > for each VM > VM Restart Priority > Change from "Use cluster settings" to "Disabled")

JonathanG
Enthusiast
Enthusiast
‎06-25-2012 10:13 AM
Jump to solution

the Deep Security appliance must be tied to the ESXi host it protects, and not vmotion to other hosts

This can be done with a DRS rule or by installing the appliance to local disk storage (not shared)