A standard key provider is being used for encryption for vCenter with the following settings:

• The vCenter is pointed to a load balancer (VIP) instead of a single server for KMS
• The VIP needs to be taken down for maintenance

Once the VIP is down the vCenter does not automatically reconnect to the VIP when it is back up, and manual intervention is required.

This is working as designed. With a standard key provider, there is variation on the trust process between vCenter and the KMS server. Per the blog post about powerCLI for VM Encryption:

"KMS Server Trust Relationships: After adding the KMS Server you will still have to set up the trust relationship between vCenter and the KMS to use the KMS server(s). Because there are numerous methods to set that trust relationship up we have not provided Powershell cmdlets to do that."

Use the vSphere client to re-confirm the trust relationship between vCenter and the standard KMS server.

vSphere Key Persistence on ESX Hosts: This will allow for the host to continue functioning for encryption activities while the KMS is offline

Configuring and Managing vSphere Native Key Provider: Transitioning to the Native Key provider would not run into the above limitation about the automatic reconnect.