After upgrading vCenter from 7.0U3 to 8.0U1c Skyline Health triggers alert vSAN Cluster Configuration Consistency
search cancel

After upgrading vCenter from 7.0U3 to 8.0U1c Skyline Health triggers alert vSAN Cluster Configuration Consistency

book

Article ID: 345038

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSAN

Issue/Introduction

Symptoms:

  • After upgrading vCenter from 7.0U3 to 8.0U1c or later (= Builds prior 8.0 U3)
VSAN Skyline Health triggers alert vSAN Cluster Configuration Consistency - Data encryption key is encrypted with an out of date key encryption key.
 
  • In the /var/log/vmware/vsan-health/vmware-vsan-health-summary-result.log the following is observed:
YYYY-MM-DDTHH:MM:SS INFO vsan-mgmt[56365] [VsanHealthSummaryLogUtil::PrintHealthResult opID=#####] Cluster VSAN-Cluster Overall Health : red
Group cluster health : red
Test consistentconfig health : red  
   Issues: Host Disk Issue Recommendation
         (Host-2002 '', DataEncryptionKeyIsEncryptedWithAnOutOfDateKeyEncryptionKey, Click'RemediateInconsistentConfiguration'), 
         (Host-2002, naa.#############, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),
         (Host-2002, naa.#############, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),
         (Host-2002, naa.#############, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'
         (Host-2002, naa.#############, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),
         (Host-2002, naa.#############, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),

 

 

Environment

VMware vSAN 
VMware vCenter Server 8.0.x (prior to Update 3)

Cause

Due to changes in which hash algorithm is used for validation of KEK in different versions of vCenter, the KEK ID prefix was generated in the older version with old sha1 algorithm, but later versions will use sha256 algorithm to generate a temporary KEK ID prefix to check KEK ID prefix consistency and thus these will not match. This is the root cause of this health check showing false positive for key consistency.

Resolution

VMware Engineering has identified the cause of this issue and implemented a fix which is in vCenter 8.0U3 GA (= Build 24022515 )

Workaround:
Currently there is no workaround for this issue.

 

Additional Information

This Skyline Health alert is cosmetic in nature and can be safely ignored. 

Powered by Wolken Software