After upgrading vCenter from 7.0U3 to 8.0U1c Skyline Health triggers alert vSAN Cluster Configuration Consistency
search cancel

After upgrading vCenter from 7.0U3 to 8.0U1c Skyline Health triggers alert vSAN Cluster Configuration Consistency


Article ID: 345038


Updated On:


VMware vCenter Server VMware vSAN


The purpose of this article is to provide guidance relating to this known issue.

  • After upgrading vCenter from 7.0U3 to 8.0U1c VSAN Skyline Health triggers alert vSAN Cluster Configuration Consistency Data encryption key is encrypted with an out of date key encryption key.
  • In Skyline Health and in the vCenter vmware-vsan-health-summary-result.log the following is observed:

2023-09-21T11:10:19.693Z INFO vsan-mgmt[56365] [VsanHealthSummaryLogUtil::PrintHealthResult opID=agw-0001618-a52a] Cluster VSAN-Cluster Overall Health : red

  Group cluster health : red

   Test timedrift health : green

   Test vcauthoritative health : green

   Test consistentconfig health : red  

     Issues: Host Disk Issue Recommendation

         (Host-2002, '', DataEncryptionKeyIsEncryptedWithAnOutOfDateKeyEncryptionKey, Click'RemediateInconsistentConfiguration'), 

   (Host-2002, Naa.5000C500Ec71Ce47, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),

         (Host-2002, Naa.5000C500Ec71Ced7, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),

   (Host-2002, Naa.5000C500Ec71Ce53, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'

         (Host-2002, Naa.5000C500Ec71D30B, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),

   (Host-2002, Naa.5000C500Ec71Cc67, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),



VMware vSAN 8.0.x
VMware vCenter Server 8.0.x


Due to changes in which hash algorithm is used for validation of KEK in different versions of vCenter, the KEK ID prefix was generated in the older version with old sha1 algorithm, but later versions will use sha256 algorithm to generate a temporary KEK ID prefix to check KEK ID prefix consistency and thus these will not match. This is the root cause of this health check showing false positive for key consistency.


VMware engineering have identified the cause of this issue and implemented a fix which is tentatively scheduled to be included in vCenter 8.0U3 GA.


Currently there is no workaround for this issue.

Additional Information


This Skyline Health alert is cosmetic in nature and can be safely ignored.