vSphere HA Agent is not reachable from the vCenter Server
search cancel

vSphere HA Agent is not reachable from the vCenter Server

book

Article ID: 398888

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

  • vCenter is not able to initialize vSphere HA on the hosts due to a communication error

  • Disconnecting and reconnecting the host to the vCenter fails to connect

  • The host /var/run/log/fdm.log records certificate verification errors and SSL handshake failures, similar to the following:

YYYY-MM-DDT04:42:46 warning fdm[########] [Originator@#### sub=IO.Connection opID=WorkQueue-####] Failed to SSL handshake; SSL(<io_obj p:0x########, h:9, <TCP '##.###.##.## : #####'>, <TCP '##.###.##.## : #####'>>), e: 336134278(certificate verify failed (SSL routines, 5513 get server_certificate)), duration: 5mmec 
YYYY-MM-DDT04:42:46 error fdm[########] [Originator@#### sub=Message opID=WorkQueue-####] Error N7VMacore3S5118SSLVerifyExceptionE(SSL Exception: Verification parameters: 
--> PeerThumbprint: ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
--> ExpectedThumbprint: 
--> ExpectedPeerName: <ESXi Host Name>
--> The remote host certificate has these problems: 
--> 
--> * certificate has expired) 
--> [context]################################[/context] on handshake 
YYYY-MM-DDT04:42:46 error fdm[########] [Originator@#### sub=Message opID=clusterElection.cpp:##-####] AsyncConnect failed
YYYY-MM-DDT04:42:46 info fdm[########] [Originator@#### sub=Message opID=clusterElection.cpp:##-####] Destroying connection
YYYY-MM-DDT04:42:46 error fdm[########] [Originator@#### sub=Cluster opID=clusterElection.cpp:##-####] Couldn't connect to master N7Vmacorel6Timeout

Environment

VMware vCenter Server 7.x

VMware vCenter Server 8.x

Cause

The vCenter Server is unable to communicate with the ESXi host because the host's SSL certificates are invalid or expired, which prevents the vSphere HA agent from establishing a secure connection.

Resolution

To resolve this issue, the host certificate must be renewed via the VMware Certificate Authority (VMCA).

  1. Disable vSphere HA on the problematic cluster.

  2. In the vSphere Client, select the vCenter Server managing the affected hosts.

  3. Navigate to Configure > Settings > Advanced Settings.

  4. Select Edit Settings.

  5. Use the filter to locate vpxd.certmgmt.mode ,see Change the ESXi Certificate Mode for more details.

  6. Ensure the value is set to vmca (If set to custom or thumbprint, the vCenter Server will not automatically refresh host certificates).

  7. Right-click the affected ESXi host in the inventory and select Disconnect, followed by Reconnect.

  8. Right-click the ESXi host again and select Configure > Certificates > Renew Certificate.

  9. Reconfigure vSphere HA on the cluster.

Powered by Wolken Software