• Once the witness tag is enabled for Vsan witness traffic, it will allow the vSAN data nodes to be able to communicate with the vSAN witness node on the tagged VMkernel adapter such as VMK0 for management.
• If the vSAN witness tag is missing or has not been applied on the vSAN data node's VMkernel adapter, then a partition will occur.
  
  
• This Feature is used in environments where the data nodes cannot communicate with the vSAN witness via the vSAN enabled VMkernel adapter.

To resolve this issue:

1. Validate the data nodes' network configuration from vSphere Client > vSAN Cluster > vSAN Host > Configure > Networking - VMkernel adapters: And determine which VMkernal adapter can communicate with the Witness appliance.

2. If a host is missing the vSAN Witness tag, make a note of it. The configuration should be uniform across all hosts in a vSAN cluster. Also make a note of the vmk on which the witness traffic is enabled on the other hosts if in use. 
   
   Alternatively, from CLI of the ESXi host run the following command to display the WMkernel adapters used by vSAN and the services enabled: esxcli vsan network list

3. How to apply the vSAN Witness tag to a ESXi host. 

   • For environment with vCenter 7.x: This tag must be enabled from CLI of the data node, using the command: esxcli vsan network ip add -i vmkX -T witness

     Where vmkX is the VMkernel adapter on which vSAN Witness traffic is enabled on the data nodes.

   • For environment with vCenter 8.x: This tag can be enabled from the vSphere Client: vSphere Client > vSAN Cluster > vSAN data node > Configure > Network - VMkernel Adapter > Click on the three dots next to "vmkX" > Click "Edit" > Enable the checkbox for "vSAN Witness".

Note: vSAN Witness traffic tagging should only be present on the data node's VMkernel adapter and not on the vSAN Witness node's VMkernel adapter.

Configure Network Interface for Witness Traffic