After upgrading vCenter from 7.0U3 to 8.0U1c Skyline Health triggers alert vSAN Cluster Configuration Consistency
search cancel

After upgrading vCenter from 7.0U3 to 8.0U1c Skyline Health triggers alert vSAN Cluster Configuration Consistency

book

Article ID: 345038

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSAN

Issue/Introduction

The purpose of this article is to provide guidance relating to this known issue.


Symptoms:
  • After upgrading vCenter from 7.0U3 to 8.0U1c VSAN Skyline Health triggers alert vSAN Cluster Configuration Consistency Data encryption key is encrypted with an out of date key encryption key.
  • In Skyline Health and in the vCenter vmware-vsan-health-summary-result.log the following is observed:

2023-09-21T11:10:19.693Z INFO vsan-mgmt[56365] [VsanHealthSummaryLogUtil::PrintHealthResult opID=agw-0001618-a52a] Cluster VSAN-Cluster Overall Health : red

  Group cluster health : red

   Test timedrift health : green

   Test vcauthoritative health : green

   Test consistentconfig health : red  

     Issues: Host Disk Issue Recommendation

         (Host-2002, '', DataEncryptionKeyIsEncryptedWithAnOutOfDateKeyEncryptionKey, Click'RemediateInconsistentConfiguration'), 

   (Host-2002, Naa.5000C500Ec71Ce47, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),

         (Host-2002, Naa.5000C500Ec71Ced7, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),

   (Host-2002, Naa.5000C500Ec71Ce53, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'

         (Host-2002, Naa.5000C500Ec71D30B, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),

   (Host-2002, Naa.5000C500Ec71Cc67, KeyEncryptionKeyIsInconsistentWithClusterConfiguration, Click'RemediateInconsistentConfiguration'),

 


Environment

VMware vSAN 8.0.x
VMware vCenter Server 8.0.x

Cause

Due to changes in which hash algorithm is used for validation of KEK in different versions of vCenter, the KEK ID prefix was generated in the older version with old sha1 algorithm, but later versions will use sha256 algorithm to generate a temporary KEK ID prefix to check KEK ID prefix consistency and thus these will not match. This is the root cause of this health check showing false positive for key consistency.

Resolution

VMware engineering have identified the cause of this issue and implemented a fix which is tentatively scheduled to be included in vCenter 8.0U3 GA.


Workaround:

Currently there is no workaround for this issue.


Additional Information

Impact/Risks:

This Skyline Health alert is cosmetic in nature and can be safely ignored.