• When CA-signed certificates are used for APH services such as APH_TN or APH_AR on the NSX Managers, Host-MP connection terminates exactly after 24 hours of the certificate replacement. 
• The host is then unable to re-establish the connection.
• The connection does not automatically recover.
• NSX UI may show alarms about "Control Channel To Transport Node Down"
• Below log-lines could be seen on the ESXi at /var/run/log/nsx-syslog file:
  2025-05-23T00:28:10.896Z In(182) nsx-proxy: NSX 81###### - [nsx@6876 comp="nsx-esx" subcomp="nsx-proxy" s2comp="nsx-rpc" tid="81########" level="INFO"] RpcConnection[143### Closed to ssl://#.#.#.#:1234 0] Notifying channels on connection down (remote certificates CRL validation failed)

• VMware NSX 4.2.0.x
• VMware NSX 4.1.x
• VMware NSX 4.0.x
• VMware NSX-T 3.x

This issue is observed when APH has CA-Signed certificate and only the leaf certificate is being exchanged during SSL handshake between TN and MP. This results in CRL Manager on TN sending only leaf certificate for validation to CertificateService instead of the complete certificate chain.

This issue is resolved in VMware NSX 4.2.1 and above, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

Workaround:

There are 2 workarounds available:

1. Use self-signed APH certificate to bypass this issue.
2. If using self-signed APH certificate is not feasible, then the following steps can be employed to temporarily recover the MP-Host connection. Please note, the MP-Host connection will be terminated once more 24 hours after implementing this workaround.
   1. Stop nsx-proxy : /etc/init.d/nsx-proxy stop
   2. Flush the CRL manager certificate status from NestDb : /opt/vmware/nsx-nestdb/bin/nestdb-cli --json --cmd flush vmware.nsx.nestdb.CrlCertificatesCacheMsg
   3. Start nsx-proxy : /etc/init.d/nsx-proxy start