The vCenter Native Key Provider (NKP) shows a Warning state. This warning leads to the critical symptom where you cannot power on new or shut-down Virtual Machines (VMs), resulting in the error: "No host is compatible with the virtual machine."

All the ESXi host's in the vCenter are in "Connected" status itself.

The following errors are present in vCenter server var/log/vmware/vpxd.log:

error vpxd[####] [Originator@#### sub=CryptoManager opID=####] Failed to invoke kmxa vAPI "Providers.List" on host Host_FQDN
--> JWT Error:
-->
error vpxd[####] [Originator@#### sub=CryptoManager opID=####] Failed to list native key providers on host-####: N4Vpxd7Clients19ErrorValueExceptionE(Null error pointer!)
--> 
--> Skip remediation
warning vpxd[####] [Originator@#### sub=IO.Connection opID=SWI-####] Failed to resolve address; <resolver p:0x00007f7274d983c0, 'Host_FQDN:443', next:(null)>, e: 1(Host not found (authoritative)), async: true, duration: 0msec
warning vpxd[####] [Originator@#### sub=HttpConnectionPool-#### opID=SWI-####] Failed to get pooled connection; <cs p:00007f7248510290, TCP:Host_FQDN:443>

VMware vCenter Server 8.X

The vCenter Server places the Native Key Provider in a Warning state because it cannot resolve the Fully Qualified Domain Names (FQDNs) of one or more ESXi hosts within the cluster.

vCenter Server relies on consistent name resolution to communicate with and manage the cryptographic status of all ESXi hosts. The name resolution failure prevents vCenter Server from confirming the status or distributing keys to the affected hosts.

The primary resolution is to restore proper FQDN resolution for all affected ESXi hosts from the vCenter Server.

1. Identify the affected ESXi hosts:

• Access the vCenter Server Shell via SSH.

• Review the vCenter Server log file to find the hosts involved in the communication failures:

  • less /var/log/vmware/vpxd/vpxd.log | grep "Failed to invoke kmxa vAPI" 

• Identify the specific <Host-FQDN> listed in the log errors.

• Test name resolution from the vCenter Server command line to confirm the failure:

  • ping <Host-FQDN>

  • nslookup <Host-FQDN>

2. Correct the Name Resolution Mechanism by following the below steps:

Recommended (Standard Practice): Engage the Active Directory/DNS team to immediately create or correct the missing Forward and Reverse DNS records for the affected ESXi hosts in the centralized DNS system. Once updated, verify resolution using nslookup.

Temporary Workaround: Use this method only if you cannot immediately update DNS. This is a non-standard environment practice.

• Access the vCenter Server Shell via SSH.

• Edit the hosts file using a text editor like vi:

  • vi /etc/hosts

• Add the missing entries for the affected ESXi hosts in the following format. Ensure you include the IP, the FQDN, and the Short Name:

  • <IP Address> <Host-FQDN> <Host-ShortName>

• Save the changes to the /etc/hosts file.

• Verify resolution from the vCenter Server again using nslookup <Host-FQDN>

After correcting the name resolution, observe the Native Key Provider status in the vCenter UI. It should automatically transition from Warning to Active.

Ensure that you can power on the previously affected virtual machines.