Introduction
When setting up a Veeam CDP policy and also using vCloud Director, the tenant account may not be able to choose the correct storage policy to assign to the CDP policy. When going through the CDP policy wizard, some or all of the storage policies may be missing as options to select for destination storage.
The Issue
When using vCloud Director for tenant accounts, the tenant’s VDC is assigned storage based on storage policies. When the Veeam CDP I/O filter is installed, Veeam automatically creates its own storage policy in VMware called Veeam CDP Replication. This policy uses host-based rules for replication and chooses veecdp as its provider.
While storage policies will often be used to select the storage itself based on something like tags, in this case Veeam is leveraging the VMware I/O filters of the host itself and matching the policy based on which host or hosts have valid I/O filters, then any storage connected to that host is allowed. It is recommended to create your own custom storage policy, choosing the same host-based replication rule veecdp, the same as Veeam creates automatically, but in your own custom policy also select storage tagging to select which storage you want a specific tenant to use. You can use host-based rules and storage tagging together.
Veeam installs and communicates the I/O filter through vCenter to know which hosts it can use. Sometimes, if an ESXi host has had its storage provider certificate updated recently, vCenter may not have automatically synchronized the changes, and furthermore, vCenter may have the old certificate data stuck in its database. This needs to be cleaned up and synchronized.
You can check vCenter’s status of the ESXi host’s I/O filter certificates here. If your state is inactive or shows the certificates expired, this may be your problem:
You can check the certificate installed on the ESXi host by using the URL provided by vCenter:
When going to the URL provided, you should be able to check your certificate to verify one is installed that is usable and not expired. Your browser may not trust this certificate, but this is used between vCenter and ESXi, so it’s only important that vCenter trusts it.
If your ESXi certificate has expired, then it needs to be renewed. If your ESXi certificate is valid, but it shows as invalid in vCenter, then vCenter needs to manually be updated. This document from Broadcom/VMware shows how to do this: https://knowledge.broadcom.com/external/article/318887/certain-iofilter-providers-are-showing-a.html
Conclusion
Sometimes when the ESXi host’s certificates are updated, vCenter doesn’t always update its own internal database with this information correctly. If this happens, vCenter may not recognize the ESXi hosts as having valid certificates for the I/O storage policies, which Veeam uses for CDP. This in-turn causes vCloud Director to not be able to use storage policies that rely on host-based I/O filters, so those policies will not show up for a vCloud Director tenant when creating a new Veeam CDP policy.