After replacing the default certificate on ESXi hosts, vSphere HA reports "Agent Unreachable state" or is stuck in Election State
search cancel

After replacing the default certificate on ESXi hosts, vSphere HA reports "Agent Unreachable state" or is stuck in Election State

book

Article ID: 402263

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • The issue is seen only after default certificate replacement 
  • One host in the cluster gets configured for HA but other nodes report  "HA Agent Unreachable" or is stuck in Election state
  • Primary node ESXi - /var/run/log/fdm.log (the host that got HA configured without issues)

    2025-05-20T09:14:02.226Z Db(167) Fdm[9705572]: [Originator@6876 sub=Cluster opID=WorkQueue-59d0aa06] (VMFS) host-#### @ 00:##:##:##:##:## is ALIVE
    2025-05-20T09:14:02.476Z In(166) Fdm[9705577]: [Originator@6876 sub=Cluster opID=WorkQueue-60c9d31e] Trusted host not found. Failing to verify the host; host: (<Host IP>:49516)
    2025-05-20T09:14:02.476Z Db(167) Fdm[9705577]: [Originator@6876 sub=Cluster opID=WorkQueue-60c9d31e] Blacklisting ip address <Host IP>  for 60 seconds2025-05-20T09:14:02.476Z Db(167) Fdm[9705577]: [Originator@6876 sub=Cluster opID=WorkQueue-60c9d31e] IP <Host IP> marked bad for reason Invalid Credentials
    2025-05-20T09:14:02.476Z Wa(164) Fdm[9705577]: [Originator@6876 sub=Cluster opID=WorkQueue-60c9d31e] Failed to verify host  (<Host IP>) - closing connection
    2025-05-20T09:14:02.476Z Db(167) Fdm[9705577]: [Originator@6876 sub=Message opID=WorkQueue-60c9d31e] Accept completion callback error N5Vmomi5Fault13SecurityError9ExceptionE(Fault cause:

Environment

  • VMware vCenter 8.x
  • VMware ESXi 8.x

Cause

vSphere HA uses the host certificate to trust when allowing a host to join a HA cluster. Any issues in validating the certificate can result in the host being marked as not trusted resulting the HA configuration task to fail. 

Resolution

Re-generate the custom certificate with required fields as detailed in KB Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment and replace the custom certificate on the ESXi hosts as referenced in Replacing the Default ESXi Certificate with a Custom Certificate.

Reconnecting the host to the vCenter and reconfigure HA for the host(s) to get them back to functional HA cluster maybe needed.

Powered by Wolken Software