Configuring HA after upgrading to vCenter Server 5.0 fails with the error: Cannot complete the configuration of the vSphere HA agent on the host. Misconfiguration in the host setup
search cancel

Configuring HA after upgrading to vCenter Server 5.0 fails with the error: Cannot complete the configuration of the vSphere HA agent on the host. Misconfiguration in the host setup

book

Article ID: 328062

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

After upgrading to VMware vCenter Server 5.0, you experience these symptoms:

  • Unable to configure VMware High Availability (HA).
  • The HA agent on one or more hosts in the cluster fails to configure properly.
  • Configuring HA fails.
  • The HA agent for this host reports this error:

    The vSphere HA agent is not reachable from vCenter Server vSphere HA cannot be configured on this host because it's SSL thumbprint has not been verified. Check that vCenter server is configured to verify SSL thumbprints and that the thumbprint for this host has been verified There was an error unconfiguring the vSphere HA agent on this host. To solve this problem, connect the host to a vCenter Server of version 5.0 or later

  • You see the error:

Cannot complete the configuration of the vSphere HA agent on the host Misconfiguration in the host setup.

  • In the /var/log/fdm.log file of one or more hosts in the cluster, you see entries similar to:

    YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::VerifyHost] Thumbprint mismatch(99:6E:8A:D3:1D:F2:98:0F:54:4A:60:9D:AC:35:03:BC:AD:B9:85:95
    != 3C:D0:0C:3E:D0:DD:78:17:CE:AB:F4:E3:55:AB:E1:A5:75:18:1F:3A) for host host-47 - failing verify
    YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::InvalidCredentialsIP::SetBadIP] Blacklisting ip address xx.xx.xx.xx for 60 seconds
    YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::AddBadIP] IP 172.23.3.14 marked bad for reason Invalid Credentials
    YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::ConnectToMaster] Master @ host-47 has invalid credentials - closing connection YYYY-MM-DDT19:09:27.461Z [66797B90 verbose 'Cluster' opID=SWI-965357c] [ClusterManagerImpl::AddBadIP] IP 172.23.3.14 marked bad for reason Unreachable IP
    YYYY-MM-DDT19:09:28.461Z [66797B90 verbose 'Cluster' opID=SWI-965357c] [ClusterManagerImpl::IsBadIP] 172.23.3.14 is bad ip
    YYYY-MM-DDT19:09:28.482Z [66797B90 verbose 'Cluster' opID=SWI-965357c] [ClusterManagerImpl::RemoveBadIPType] IP 172.23.3.14 no longer bad for reason Unreachable IP
    ClusterManagerImpl::InvalidCredentialsIP::IsBadIP] 10.10.10.224 has been in bad ip map long enough so declaring good

    YYYY-MM-DDT22:36:21.354Z [FFFD3B90 verbose 'Cluster'] ICMP reply for non-existent pinger 3 (id=isolationAddress)

    YYYY-MM-DDT22:36:21.354Z [26620B90 info 'Election' opID=SWI-ed338c8] ClusterElection::StartupStateFunc: Found node with better goodness @ xx.xx.xx.xx
    YYYY-MM-DDT22:36:21.354Z [26620B90 verbose 'Cluster' opID=SWI-ed338c8] [ClusterManagerImpl::IsBadIP] 10.0.17.134 is bad ip
    YYYY-MM-DDT22:36:21.354Z [26620B90 verbose 'Cluster' opID=SWI-ed338c8] [ClusterManagerImpl::InvalidCredentialsIP::IsBadIP] xx.xx.xx.xx has been in bad ip map long enough so declaring good


Cause

This issue occurs if:
  • SSL Certificate checking is disabled in vCenter Server. SSL Certificate checking is now a requirement for HA in vCenter Server 5.0.
  • SSL thumbprints do not match the SSL keys shown.

    Note: If this is the cause of your issue, you do not need to perform steps 5-7 in the resolution.

Resolution

This issue is resolved in vCenter Server 5.0 Update 1, available at VMware Downloads. For more information, see the Resolved issues section of the VMware vCenter Server Release Notes.
To resolve this issue when you do not want to upgrade, enable SSL Certificate checking.
To enable SSL Certificate checking:
  1. In the vSphere Client, click Administration > vCenter Server Settings. The vCenter Server Settings dialog appears.
  2. If the vCenter Server system is a part of a connected group, select the server you want to configure from the Current vCenter Server dropdown.
  3. In the settings list, select SSL Settings.
  4. Select vCenter requires verified host SSL certificates. If there are hosts that require manual validation, these hosts appear in the host list at the bottom of the dialog.
  5. Determine the host thumbprint for each host that requires validation.

    1. Log in to the direct console (DCUI).
    2. Select View Support Information in the System Customization menu. The thumbprint is displayed in the right pane.

      Notes:

      • If you do not have access to the direct console, you connect a vSphere Client that has not installed the hosts certificate directly to the host. When it prompts you for certificate confirmation, select View Certificate > Details, then scroll down to thumbprint.
      • If your issue is occurring because the SSL Thumbprints do not match, when you click OK all listed hosts disconnect from vCenter Server. Reconnect each host (this requires the root password) to refresh the SSL thumbprints.

  6. Compare the thumbprint you obtained from the host with the thumbprint listed in the vCenter Server Settings dialog.
  7. If the thumbprints match, select the check box for the host.
  8. Click OK. Hosts that you have not selected are now disconnected.


Additional Information

Note: This issue may also occur if proxy ARP is enabled on the ESX/ESXi management VLAN. To resolve this issue, disable Proxy ARP. For more information, see Troubleshooting network connection issues caused by proxy ARP (1005965).

vCenter Server 5.0 にアップグレードした後、HA の構成が次のエラーで失敗する: Cannot complete the configuration of the vSphere HA agent on the host. ホストの設定の構成に誤りがあります
After upgrading to vSphere 5, you see the HA error: vSphere HA Cannot be configured on this host because its SSL thumbprint has not been verified
升级到 vCenter Server 5.0 后配置 HA 失败,并出现以下错误:无法完成主机上的 vSphere HA 代理配置。主机设置中存在配置错误