The vSAN cluster shows active vSAN Health alarms after updating ESXi on a host and rebooting.

VMware vSAN (All Versions)

The vSAN cluster is encrypted using an external KMS.  The KMS server is down and not pingable.  The KMS server would not ping from an ESXi host or the local workstation.

Engage KMS vendor/team to assist with bring the KMS server back online. Confirm proper communication between vCenter/ESXi and the KMS. If the disk groups don't come back online right away reboot the impacted host to obtain the KEK to decrypt the Disk Groups (DGs).  This should bring the DGs back online and allow the rest of the upgrades to succeed.  You can set up a redundant KMS for future availability issues, the secondary KMS can take over.

Troubleshooting vSAN Encryption

vSAN Encryption Considerations