vSphere HA fails to enable with error "HA Agent unreachable" or " HA Agent uninitialized" after vCenter install/upgrade to 8.0 U3
search cancel

vSphere HA fails to enable with error "HA Agent unreachable" or " HA Agent uninitialized" after vCenter install/upgrade to 8.0 U3

book

Article ID: 379366

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • HA may fail to deploy in all clusters in environment after vCenter Server fresh install or upgrade from 7.0 to 8.0 with error "HA Agent unreachable" or " HA Agent uninitialized/ retrying":

  • When checking ESXi logs /var/run/log/fdm.log you may see error similar to below example in relation certificates: 
Host name does not match the subject name(s) in certificate.

or

YYYY-MM-DDTHH:MM:SS.XXXZ Er (163) Fdm[XXXXXX]: --> The remote host certificate has these problems:
YYYY-MM-DDTHH:MM:SS.XXXZ Er (163) Fdm[XXXXXX]: -->unable to get local issuer certificate

YYYY-MM-DDTHH:MM:SS.XXXZ Er (164) Fdm[XXXXXX]: [Originator@XXXX sub=Election opID=XXXXXXXXX] Failed to connect to master host
  • When you navigate to ESXi -> Configure -> System -> Certificate, you see a blank page with no certificate information (Ensure you are logged in as SSO admin, to confirm not a permissions issue)
  • vpxd.certmgmt advanced setting mode is set to "Thumbprint", to confirm navigate to below: 
    • Select vCenter object -> Configure -> Advanced Settings -> search for "vpxd.certmgmt.mode

Environment

vCenter Server 8.0 U3 

Cause

vCenter "vpxd.certmgmt.mode" advanced setting is set to "Thumbprint" due to which other hosts are unable to verify the issuer of the master hosts certificate.  

Resolution

Note: Prior to completing any steps, ensure you have valid Snapshots (Offline snapshots of all vCenter nodes in Enhanced Linked Mode set up) completed, prior to making any changes

 

To resolve the issue, follow below steps: 

1. Navigate to below: 

Select vCenter object -> Configure -> Advanced Settings -> search for "vpxd.certmgmt.mode

2. If this is set to "Thumbprint", edit settings and change this to "vmca" and save the change (For more information on this, please refer to the following: Change the ESXi Certificate Mode)

3. Navigate to cluster, and disable HA on the cluster.

4. Either disconnect and reconnect ESXi to vCenter, or select to renew vmca certificate from the ESXi certificate settings (for more steps on this, please refer to the following: Renew or Refresh ESXi Certificates)

5. Once the above has been completed, confirm we can view the certificates at for the ESXi in the UI 

6 Enable HA for the cluster now

 

HA should now get configured without issue 

Additional Information

Please see following document for more information on certificates modes for ESXi: Managing Certificates for ESXi Hosts

Powered by Wolken Software