vmkernel logs indicate FTCpt warnings :
/var/run/log/vmkernel.log :
[YYYY-MM-DD] Wa(180) vmkwarning: cpu162:2099030)WARNING: FTCpt: 2684: (0 pri) Error reading hello: Bad parameter
[YYYY-MM-DD] Wa(180) vmkwarning: cpu162:2099030)WARNING: FTCpt: 2944: Error starting connection (8000 ms): Bad parameter
[YYYY-MM-DD] Wa(180) vmkwarning: cpu190:2099516)WARNING: VMotionServer: 367: Invalid message type for new connection: 790.  Expecting message of type INIT (0 or 31).
[YYYY-MM-DD] Wa(180) vmkwarning: cpu162:2099030)WARNING: FTCpt: 232: (0 pri) Error reading hello: got 33555222 33554795: Bad parameter

VMware vSphere 8.x
VMware vSphere 7.x

• The FT and vMotion warning alerts start whenever the host is accepting a connection from Security Scanner Server's IP address (Security Scanner Server's IP address doesn’t belong to Management, vStorage or vMotion network)
• Security Scanner Server's IP address periodically performs scans of all hosts looking for known vulnerabilities.
• /var/run/log/vmkernel.log :
  [YYYY-MM-DD] In(182) vmkernel: cpu190:2099516)VMotionServer: 385: Error reading from pending connection: Connection reset by peer
  [YYYY-MM-DD] In(182) vmkernel: cpu190:2099516)MigrateNet: vm 2099516: 3282: Accepted connection from <###.###.###.###>:####
  [YYYY-MM-DD] In(182) vmkernel: cpu190:2099516)MigrateNet: vm 2099516: 3370: dataSocket 0x4328948a65d0 receive buffer size is 563272

We recommend isolating vMotion traffic to a private, non-routable network and limiting port access.

Scanning vMotion network is considered as anti-pattern, because:
- vMotion traffic isn’t encrypted by default , so it should be isolated and not exposed anyway.
- External entities should never be able to connect to those ports in the first place.