• Ping test to vCenter IP & FQDN is successful. However, the curl to vCenter failed with "TLS Handshake".
• Login to the HCX Manager as user admin and execute the commands below 
  • ping <vCenter IP>  - successful
  • ping <vCenter FQDN> - successful 
  • curl -k -v https://<vCenter-FQDN> - Fails to complete the TLS handshake between HCX to vCenter
  • openssl s_client -connect <VC-IP>:443 -- Fails to fetch the complete certificate

VMware HCX

It is identified the " TLS1.2 -- Client Hello" packet sent from the HCX was dropped in the L3 routing device and not seen on the firewall, due to which the vCenter was re-transmitting "SYN,ACK" continuously to the HCX.

1. Execute Packet Capture

Perform a packet capture on the ESXi host via root login in which the HCX Manager VM reside. This is to verify if TCP/TLS packets are successfully egressing toward the next hop or if they are failing to reach the vCenter IP.

Follow the article to know more about packet capture :- Packet capture on ESXi using the pktcap-uw tool

2. Identify the Drop Point

Physical Layer Drops: If the capture shows packets leaving the host but receiving no response, the traffic is likely being dropped by a physical router or firewall.

Connection Failure: Any disruption in this TCP/TLS handshake will result in the HCX Manager failing to register or communicate with vCenter.

3. If the logs confirm that packets are sent but not acknowledged beyond the host, provide the capture data to your Networking or Firewall team for deeper investigation into routing rules and security policies.

For error related to "SocketException" please refer - HCX Manager - "Error communicating to VC endpoint Reason: SocketException"