While "patching (updating)" and "upgrading" often refer to the same procedure, for VMware vCenter Server Appliance (VCSA) High Availability (HA) configuration, they don't refer to the same thing. The process of upgrading or patching differs for this kind of infrastructure.

Patching usually means deploying cumulative patches via .iso files attached to the VCSA virtual machine (VM). Upgrading means VCSA reaches a significant upgrade (for example, you upgrade from 6.5 to 6.7), and the process usually differs. You usually perform an upgrade via the user interface (UI), or you can script it.

Patching VCSA configured with HA needs some considerations and some guidance.

First, let me first explain what VCSA HA is. For some time now, VMware VCSA has been able to set up an HA environment for the vCenter Server application. This architecture has a semiautomatic process where the system creates a clone of the active node—which will become a passive node—and puts in place a third node called a witness node.

Thus, it basically clones VCSA to create passive and witness nodes and replicates updated data between the active and passive nodes.

You'll have three nodes running on three different hosts, so in case of failure, VCSA fails over to the passive node, which becomes the active node.

vCenter Server Appliance High Availability

vCenter Server Appliance High Availability

Once the passive node takes over as active, it creates a new passive node automatically. All three nodes communicate through a separate network and are in sync. The passive node continuously receives data flowing from the active node.

To patch such a system, you must proceed as follows:

  1. Patch the witness node first
  2. Patch the passive node
  3. Do a manual failover (the passive node becomes active)
  4. Patch the new passive node

But let's look into further details, including downloading the right .iso files from the VMware patch portal.

Steps to patch the VMware VCSA HA solution ^

First, download the latest VCSA patch from the VMware patch download center and select VC from the Search by Product drop-down menu and then vSphere 6.7.

Second, you'll need to put vCenter HA into maintenance mode. Go to Settings and select vCenter HA > Edit > Maintenance Mode.

VCSA HA maintenance mode

VCSA HA maintenance mode

Third, you'll need to attach the .iso file to the witness appliance VM, connect to the appliance via PuTTY through a Secure Shell (SSH) session or enter directly into the console:

software-packages install --iso --acceptEulas

Then exit SSH, disconnect the .iso, and reboot the witness VM.

Fourth, attach the .iso to the passive node and patch the passive node via the same steps as above.

Fifth, initiate a manual failover via Settings > vCenter HA > Initiate Failover.

The current passive node will become an active node.

Sixth, the same as the fourth step, you'll need to attach the .iso to the passive node again and patch the passive node via the same steps as above.

In the final step, exit the VCSA HA maintenance mode.

Follow this method for upgrading ^

Log in to the active node VCSA and click Configure. Under Settings, select vCenter HA and click Remove VCHA.

This removes the vCenter HA cluster's configuration from the active, passive, and witness nodes.

You can choose to Delete the passive and witness nodes.

This basically destroys the VCSA HA cluster. You can then easily upgrade the single active remaining VCSA. You can upgrade via .iso or via the internet by connecting to the VCSA administration page using the vCenter Server Appliance Management Interface (VAMI) over port 5480.

Note: In both cases, you should create a backup of your VCSA via your usual backup software and via the built-in file-level backup—just in case something goes wrong.

Once you've finished upgrading VCSA, recreate the VCSA HA cluster. You've already created the necessary networking, so recreating the VCSA HA cluster isn't difficult, and you simply follow the built-in assistant through the steps.

Final words ^

VMware has built this solution to protect the vCenter Server application against failures. However, consider this only for larger environments because the passive and witness nodes consume valuable system resources (memory, CPU, and storage).

If you're running only small-to-medium environments, you can simply rely on the vSphere HA mechanism, which restarts VCSA on another host.

vCenter HA protects VCSA against host and hardware failures. The solution's active-passive architecture can also help you reduce downtime significantly when you patch VCSA because you always have one active node online and your team can continue to work.

Remember, the vCenter HA network must be on a different subnet than the management network, and you need to have a network latency less than 10 ms between the active, passive, and witness nodes.

Just as a side note, vCenter HA requires a single vCenter Server license only. But it must be a vCenter Server Standard license.

In addition, I strongly recommend a minimum of three ESXi hosts where each vCenter HA node can then run on a different host for better protection.

Subscribe to 4sysops newsletter!

While you can set up your vCenter HA environment with an external Platform Services Controller (PSC), I think you should know VMware is phasing out the external PSC architectures. Thus, I recommend proceeding with the built-in VCSA utility and migrating your external PSC to an embedded one.

  1. Jan 2 years ago

    Hello Vladan,


    the following link from the VMware documentation states that you have to remove the VCSA HA configuration before patching, then recreating afterwards. Does this only apply to the recent version 6.7 U3? Or is your procedure just a working yet not officially supported way to patch the VCSA HA appliances?





    • Author
      Vladan SEGET 2 years ago

      Yes, it seems that things has changed. Use the second part of the article only. Remove the HA config > Patch/upgrade > Activate the HA again. One say "Keep it simple" KISS strategy is the best. 

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account