→ Applies to: VMware ESXi 6.5 and above

Symptom

The VMware ESXi root account may be locked out after a password reset where the sync process fails to update all affected services.

This blocking situation, often appears after a reset password where the sync process does not succeed to update all services. This may cause some addresses to keep the old password in their logs, until it is updated.

Solution

Step 1. Enable VMware ESXi Shell console

• From IPMI, open remote console
• From virtual keyboard, press CTRL+ALT+F2 (sometimes F2 only)
• Login with the correct root credentials

• Open Troubleshooting Options menu

• If the VMware ESXi Shell is already enabled, you'll find the following screen

• If the VMware ESXi Shell is not enabled, press on Enable ESXi Shell

Step 2. Access VMware ESXi Shell console

• From virtual keyboard, press CTRL+ALT+F1
• Login with the correct root credentials

Step 3 (optional). Shows the number of failed login attempts

pam_tally2 --user root

Step 4. Unlock root account

pam_tally2 --user root --reset

Step 5 (optional). Identify the address involved in the block

grep Rejected /var/log/hostd.log

EXAMPLE
In the example above, the address involved in the block is 10.1.1.29.

Step 6. Exit VMware ESXi Shell console (press ALT+F2)