Are you getting the below error when trying to migrate between Intel SkyLake and Ice Lake processors?
Memory Protection Extensions (MPX) are unsupported.
The host cannot be admitted to the cluster's current Enhanced vMotion Compatibility mode. Powered-on or suspended virtual machines on the host may be using CPU features.Well, you are not alone, and here is why and what to do about it!! But first- What is “Intel Memory Protection Extensions” (MPX)
Intel MPX (Memory Protection Extensions) is a hardware-based security feature introduced by Intel in its processors to help prevent buffer overflow attacks. MPX was first introduced in the Intel Skylake processor architecture.
But want was the goal? Well, developers could use this feature to enhance the security of their software, particularly in applications that handle sensitive data, such as financial applications, or those prone to buffer overflow attacks, such as web servers.
Why are you getting this?
Intel has announced plans to deprecate MPX in future processor generations. Yup, that’s right MPX only lasted one CPU generation
Starting with ESXi 6.7 P02 and ESXi 7.0 GA, in order to minimize disruptions during future upgrades, VMware will no longer expose MPX by default to VMs at power-on and this issue only occurs on VMs over HW version 12, which is pretty much any new VM created in ESX 6.5 or above, and is not included at the EVC baseline level.
What to do if you get the error?
Well, you have a few options! I wouldn’t say any of them were great but you got options.
Option 1: Re-enable MPX per VM
- To do this, you will need to edit the “.VMX” file and add “cpuid.enableMPX = TRUE”. After making the edit, perform a full power cycle, not just a reboot or guest OS reboot, to ensure the VM has the correct CPU properties. More information on this can be found on VMware KB 76799.
Option 2: Cold Migrate (storage and compute resources at the same time)
- With this option, you move your VMs, CPU/Memory/storage to a new host/storage array at the same time, but there will be downtime.
- To do this, power off the VM, migrate the VM’s (compute and storage) to the new host/storage, and then power it back on.
- The VM will migrate faster because it is not doing anything.
- This option is necessary when moving to an HCI platform or new storage array
Option 3: has two options that are the same, sort of
- Option 3a: Moving to a different or new storage array.
- Here, you would storage migrate your VM to a new storage container, power it off, unregister it from vCenter, re-register it in the new cluster, and then power it on.
- Option 3b: Not moving to a different or new storage array.
- With this option, your new hosts would have access to the same storage array as the old hosts. To do this, power off the VM, unregister it from vCenter, register it in the new cluster, and then power it on.
- This is a bit easier and downtime is a lot less because there is no storage migration, the VM is already where is supposed to be.
- With this option, your new hosts would have access to the same storage array as the old hosts. To do this, power off the VM, unregister it from vCenter, register it in the new cluster, and then power it on.
If you are not sure how to unregister/register VMs in vCenter, here is a link that should help.
I can already hear the question- What about EVC? Why can’t I just turn on EVC and not worry about this?
That is a great question, you can use EVC but it will have to be done at the VM level. for more information on that check out the VMWare documentation here. This is only available on ESXi/vCenter 6.7 and above and the VM has to be at Hardware version 14 or above.
It’s worth noting you can’t have EVC enabled on the cluster and the VM, it’s one or the other.
It’s better to use one of the options above, you will keep your hair and sanity intact.
How do you check if MPX is enabled or disabled?
Luckily, I have made a PowerShell script to help, it can be found here on my GitHub. To run them you must have PowerShell v5+ and VMware PowerCLI installed.
To find which VMs have MPX enabled (true) or disabled (false) you will need to run “find-mpx-enabled-vms.ps1”. This script will export a list of VMs, their MPX status, and their hardware version to a CVS file. The VMs that are set to TRUE can be vMotion to another cluster with no work. For the VMs that are set to FALSE, you will need to use one of the options above.
What if you are running Nutanix AHV?
Well, you are in luck with Nutanix AHV masks this setting automatically, but you will still need to do a FULL power cycle after the expansion so VMs will run on the new Icelake nodes you will still need some downtime, but not as much. For more information on this take a look at Nutanix KB 3157 or click here
Is this something you are interested in? Did I miss something?
Feel free to leave a comment and let me know what you think!
