How to deploy a VMware vSAN Witness Appliance 7.0.x

After upgrading all of your ESXi hosts to v7.0, it is time to either upgrade or deploy a new witness appliance and introduce it to the cluster. Upgrading witness appliance is done the same way as every other ESXi host, but since that procedure can initiate a known bug where witness appliance loses embedded witness appliance license and switches to evaluation license, you might end up deploying a new appliance anyway.


First you need to download the latest vSAN Witness Appliance OVF template from VMware website. Since the development of the new witness appliance is apparently not entirely finished, please do not configure anything else than required root password. Configuring any other options will leave you with an appliance without vSAN traffic switch that cannot communicate on the vSAN witness network and you will not be able to repair it. Manually adding second switch and configuring vmk1 will not resolve the issue.


Here is the sum-up of the correct steps to deploy new witness appliance. 

  1. Download VMware vSAN Witness Appliance OVF
  2. Log in into your VCSA
  3. Right click on the vSAN cluster and select Deploy OVF Template
  4. Select Local File, click Browse and select OVF file downloaded in step 1 and click Next
  5. Type in vSAN Witness Host VM name and select the folder where to store you VM
  6. Select a compute ressource for your VM. Note that cross-cluster deployments are not supported. Running stretched cluster requires quorum site.
  7. Accept EULA
  8. Select deployment size according to your environment. Selecting larger deployment size than necessary does not give any performance improvement.
  9. Select storage and storage policy
  10. Select networks (VLANs) for both management and witness traffic.
  11. Under customise template configure ONLY root password! Leave all other fields empty!
  12. Deploy template
  13. Log in to your witness host via DCUI
  14. Configure management network and test it. Make sure that you can ping gateway, DNS server(s) and that you can resolve hostname.
  15. Add witness appliance as a standalone ESXi host to your VCSA. Note that witness host cannot be placed in the any clusters, but it must be within your datacenter in the VCSA hierarchy.
  16. Configure Witness ESXi switch (secondarySwitch) MTU to 9000
  17. Configure Witness ESXi witness traffic vmk port (vmk1) either with the static or DHCP IP address.
  18. Enable SSH (Configure – Services – SSH – Start)
  19. Log in into your vSAN Witness Appliance via SSH
  20. Add static route for witness network
    # esxcli network ip route ipv4 add --gateway x.x.x.x --network x.x.x.x/xx
  21. Confirm that you can ping vSAN witness traffic interface from your ESXi hosts.

Note that running vSAN Witness Appliance in stretched L2 subnet is not supported. Quorum site must be accessed via L3 network. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.