The purpose of this article is to provide guidance relating to this known issue.
Symptoms:
2023-09-21T11:10:19.693Z INFO vsan-mgmt[56365] [VsanHealthSummaryLogUtil::PrintHealthResult opID=agw-0001618-a52a] Cluster VSAN-Cluster Overall Health : red
Group cluster health : red
Test timedrift health : green
Test vcauthoritative health : green
Test consistentconfig health : red
Issues: Host Disk Issue Recommendation
(Host-2002, '', DataEncryptionKeyIsEncryptedWithAnOutOfDateKeyEncryptionKey, Click'RemediateInconsistentConfiguration'),
(Host-2002, Naa.5000C500Ec71Ce47, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),
(Host-2002, Naa.5000C500Ec71Ced7, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),
(Host-2002, Naa.5000C500Ec71Ce53, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'
(Host-2002, Naa.5000C500Ec71D30B, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),
(Host-2002, Naa.5000C500Ec71Cc67, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),
VMware vSAN
VMware vCenter Server 8.0.x (prior to Update 3)
Due to changes in which hash algorithm is used for validation of KEK in different versions of vCenter, the KEK ID prefix was generated in the older version with old sha1 algorithm, but later versions will use sha256 algorithm to generate a temporary KEK ID prefix to check KEK ID prefix consistency and thus these will not match. This is the root cause of this health check showing false positive for key consistency.
VMware engineering have identified the cause of this issue and implemented a fix which is in vCenter 8.0U3 GA.
Workaround:
Currently there is no workaround for this issue.
This Skyline Health alert is cosmetic in nature and can be safely ignored.