DRS Stops Working with Cluster Appearing to be in Retreat Mode
search cancel

DRS Stops Working with Cluster Appearing to be in Retreat Mode

book

Article ID: 380333

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Users may encounter issues with vSphere DRS functionality where:

  • Virtual machines can only be migrated individually
  • Attempts to place hosts into Maintenance Mode time out
  • Cluster shows alerts indicating it is in "Retreat Mode"
  • The following alarm appears: "vSphere Cluster Services are disabled by Retreat Mode. vSphere DRS is not functioning and vSphere HA will not perform optimally"

Environment

- VMware vCenter Server 7.0 or later
- vSphere DRS-enabled clusters
- Environment using either VMCA-signed or custom certificates

Cause

This behavior can occur when either:
1. The vCenter Server's SSL certificates have expired
2. The Security Token Service (STS) signing certificate has expired

When these certificates expire, it can cause various services to fail, including DRS functionality. This may trigger alerts that incorrectly suggest the cluster is in "Retreat Mode" when the root cause is actually certificate expiration.

Resolution

Follow these steps to resolve the issue:

  1. Check and renew the STS signing certificate if needed:
    1. Log in to the vSphere Client
    2. Navigate to the vCenter Server settings
    3. Follow the procedures in Managing the vCenter Server Security Token Service
    4. If the STS certificate is expired, renew it before proceeding

  2. Renew the vCenter Server SSL certificates based on your certificate type:
    1. For VMCA-generated certificates:
    2. For custom certificates:
  3. Verify DRS functionality has been restored:
    1. Check if VMs can are being migrated by DRS
    2. Verify that hosts can successfully enter Maintenance Mode
    3. Confirm that the Retreat Mode alarm has cleared

Additional Information