Operational Defect Database
BugZero updated this defect 48 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
VMware | 95208
Failed to connect to VDI with BLAST when UAG uses self-signed certificate and loadbalancer is between Client and UAG
Last update date:
4/1/2024
Affected products:
Horizon
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Symptoms
Horizon Client failed to connect to VDI with BLAST;Load balancer is deployed between Horizon Client and UAG;On UAG nodes, default self-signed certificate is used, whose CN is localhost
Cause
In bsg.log on UAG, thumbprint of each UAG can be captured individually, e.g:uag1:[2023-09-22 06:51:28.829] [INFO] 1008 [absg-master] - Certificate SHA-256 thumbprint is 22 42 69 6D F9 2A 36 B0 D0 FE 73 88 3B DA 2E 92 60 3D D1 9F 43 28 F0 1F ED 43 E4 9C 3F 0C 70 16uag2:[2023-09-22 06:51:52.088] [INFO] 1012 [absg-master] - Certificate SHA-256 thumbprint is AD 30 09 D2 7E 92 05 74 AE C0 01 3D 76 53 C8 28 73 80 A8 6A 9A 29 4A E3 70 86 3A 64 7E B4 D8 A9On Horizon Client side, when connection returned failed:In vmware-horizon-viewclient-xxxx-xx-xx-xxxxxx.txt:2023-10-10T16:40:00.017+08:00 INFO (28D8) [WinCDK] PCoIPWindow::CreateRemoteWindow : Window(06E2F9A8) connected to remoteMKS process 8956 successfully.2023-10-10T16:40:05.603+08:00 INFO (28D8) [WinCDK] PCoIPWindow::OnConnectionStateChanged : Receive new connection state = 0 ,stateReason = 1In vmware-mks-8956.log --> this 8956 can be get from vmware-horizon-viewclient-xxxx-xx-xx-xxxxxx.txt:2023-10-10T16:40:05.602+08:00| blastSocket| W003+ * self signed certificate2023-10-10T16:40:05.602+08:00| blastSocket| W003: SOCKET 4 (2008) Expected thumbprint doesn't match actual thumbprint.2023-10-10T16:40:05.602+08:00| blastSocket| W003: Expected thumbprint is: AD:30:09:D2:7E:92:05:74:AE:C0:01:3D:76:53:C8:28:73:80:A8:6A:9A:29:4A:E3:70:86:3A:64:7E:B4:D8:A92023-10-10T16:40:05.602+08:00| blastSocket| W003+ Actual thumbprint is: 22:42:69:6D:F9:2A:36:B0:D0:FE:73:88:3B:DA:2E:92:60:3D:D1:9F:43:28:F0:1F:ED:43:E4:9C:3F:0C:70:162023-10-10T16:40:05.602+08:00| blastSocket| W003: SOCKET 4 (2008) Cannot verify target host.2023-10-10T16:40:05.602+08:00| blastSocket| I005: [BlastSocketClient] BlastSocketClientHandleSocketError: ClientContext:21639DD7D30, vvcSessionId:-2: received socket error on asock: 21639E53DC0, asockId: 4, error: 132023-10-10T16:40:05.602+08:00| blastSocket| I005: [BlastSocketClient] BlastSocketClientIsPeerRejected: WebSocketError: 0, isPeerRejected: No2023-10-10T16:40:05.602+08:00| blastSocket| I005: [BlastSocketClient] BlastSocketClientHandleSocketError: Error before primarySocket connect, so closing BlastSocketClientContext: 21639DD7D302023-10-10T16:40:05.603+08:00| blastSocket| I005: [BlastSocketClient] BlastSocketClientClose: Closing BlastSocketClientContext: 21639DD7D30, reason: 42023-10-10T16:40:05.603+08:00| blastSocket| I005: [BlastSocketClient] BlastSocketClientClose: Closed BlastSocketClientContext: 21639DD7D30, reason: 42023-10-10T16:40:05.603+08:00| blastSocket| I005: VIEWCLIENT: VNCClientBlastSocketClientClosed reason: 42023-10-10T16:40:05.603+08:00| blastSocket| I005: VIEWCLIENT: Blast Network Continuity Enabled: NoIn vmware-mks-8956.log, Expected thumbprint is uag2's thumbprint, while Actual thumbprint is uag1's thumbprint.In the Windows' certificate store where Horizon Client is installed, several certificates with CN "localhost" can be found.
Resolution
Please refer to https://kb.vmware.com/s/article/91732, it is strongly recommended to replace UAG's self signed certificate.
Workaround
If source IP hash is used on load balancer, please try to remove all certificates whose CN is "localhost" then connect to VDI again.
