Enhanced Replication Mappings Show Error: Fault occurred while performing health check. Details: 'Connect: certificate verify failed (SSL routines)'
search cancel

Enhanced Replication Mappings Show Error: Fault occurred while performing health check. Details: 'Connect: certificate verify failed (SSL routines)'

book

Article ID: 395714

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptom:

  • Enhanced replication mappings are in error state

  • Expanding the Enhanced Replication Mappings details displays the following error message: Fault occurred while performing health check. Details: 'Connect: certificate verify failed (SSL routines)'.

    Steps: vSphere Client > Site Recovery Plugin > Open Site Recovery > View Details > Enhanced Replication Mappings > select DC or DR site, then "Run Test"

Environment

VMware vSphere Replication 

Cause

  • The issue is caused by a misconfiguration where multiple VMkernel interfaces are enabled for vSphere Replication traffic on the source host. This leads to replication traffic attempting to route through the multiple interfaces, which may not have proper SSL certificates or routing, resulting in SSL verification failures.

Cause Validation

Upon reviewing the "/var/run/log/hbr-agent.log" file on the source host, the following observations confirm the issue:

Here two VMkernel interfaces (vmk0 and vmk4) are configured for vSphere Replication traffic. The connection attempts through vmk0 (management) are failing with SSL errors.

2025-03-18T09:07:09.1672 In(166) hbr-agont-bin[2101670]: [0x0000003482b4e700] info: [Proxy [Group: PING-GID-46axxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx] -> [10.##.##.##: 32032]] [355c5936-3e40-42db-a4e1-859ede2fbaff-HMS-1420793] Bound to vmk: vmk4 for connection to 10.##.##.##:32032
2025-03-18T09:07:09.167Z In(166) hbr-agent-bin[2101670]: [0x0000003482acd700] error: [Proxy [Group: PING-GID-46axxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx] -> [10.##.##.##: 32032]] [355c5936-3e40-42db-a4e1-859ede2fbaff-HMS-1420793] Failed to connect to 10.##.##.##:32032. Using nic 'vmk0'. Error: Connection timed out
2025-03-18T09:07:09.215Z In(166) hbr-agent-bin[2101670]: [0x0000003482acd700] error: [Proxy [Group: PING-GID-46axxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx] -> [10.##.##.##: 32032]] [355c5936-3e40-42db-a4el-859ede2fbaff-HMS-1420793] SSL handshake failed: certificate verify failed (SSL routines)
 
Additionally, from the VMkernel adapters section on the source host, it is confirmed that vSphere Replication services are enabled on both vmk0 and vmk4, which leads to inconsistent interface usage during replication communication.

Resolution

To resolve this issue, the vSphere Replication traffic services should be removed from the management vmkernel interface (vmk0) and enabled only on the dedicated vmkernel interface (vmk4)

Inorder to remove the services on vmk0, navigate to Host > Configure >VMkernel adapters

  • Select vmk0 and click on the three vertical dots to edit the configuration

  • Under available services uncheck vSphere Replication and vSphere Replication NFC services

Powered by Wolken Software