Data-in-transit encryption is disabled on this cluster but enabled on this host
Article ID: 373324
Updated On:
Products
Issue/Introduction
Each ESXi Host has this error: "Data-in-transit encryption is disabled on the vSAN cluster but is enabled on this host, please disable it on this host or enable it from the vSAN cluster"
When attempting to enable Data-In-Transit encryption on the Cluster, the following error is received : "Host(s) don't have data-in-transit encryption license".
Environment
VMware vSAN
Cause
If the vSAN cluster is no longer licensed for Data-In-Transit encryption while it was in use, for example during an evaluation license period, this will prevent an admin from enabling the feature or disabling it correctly in the GUI.
Resolution
There are two solutions to correct this issue and sync host and cluster settings for Data-In-Transit encryption
1. Apply a license that supports this feature to enable it at the cluster level.
2. Disable Data-In-Transit encryption on the hosts to match cluster's current licensing
This should not impact any running VMs if able to run in quick succession. Such as using an SSH client that allows the push of a single command to multiple hosts at once. If unable, however, it would be best to do so during a maintenance window with VMs shut down.
1) Run the following command:
esxcli vsan network security set -e false
(To check the current status run: esxcli vsan network security get)
Then one host at a time run the following commands to restart services.
2) /etc/init.d/vsanmgmtd restart
3) /etc/init.d/hostd restart
Feedback
