Symptoms:
HCX Site Pairing is down and it shows the error message below.

Host name '<DEST_IP>' does not match the certificate subject provided by the peer (CN=hcx.sddc-xxx-xxx-xxx-xxx.vmwarevmc.com, O="VMware, Inc", L=Palo Alto, ST=California, C=US)

Add a Site Pairing configuring with FQDN in the “Remote HCX URL”. The existing Site Pairing will be overridden.

If your On-Premise network is connected with VMC via Direct Connect or VPN, configure the HCX FQDN resolution address with the Private IP in the VMC console.

Set HCX FQDN Resolution Address

Workaround:

New certifications should be imported into the HCX connector with the steps below. This operation has to be done on your On-Premise side.

1. Click vSphere Client > HCX > Infrastructure > Site Pairing
2. Click the "EDIT CONNECTION" link in the existing Site Pairing.
3. Fill in the "[email protected]" password and click the “EDIT” button.
4. Click the "IMPORT CERTIFICATE" button on the "Certificate Warning" popup.
 

If the Site Pairing is down, configuration workflows will fail and no migrations can be scheduled from HCX Connector or source Cloud Manager. Existing Network Extension services will remain active indefinitely but no configuration changes can be made on those, except for "unstretch", which can be forced from the target HCX Cloud Manager's side.