vSphere Replication health check fails with "Connect: certificate verify failed (SSL routines)" during Enhanced Replication mapping.
search cancel

vSphere Replication health check fails with "Connect: certificate verify failed (SSL routines)" during Enhanced Replication mapping.

book

Article ID: 427924

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms:

When performing an Enhanced Replication mapping test or configuring replication, the process fails with the following error:

  • Fault occurred while performing health check. Details: 'Connect: certificate verify failed (SSL routines)'

       

  • Replication may fail to initialize, and the management interface indicates a communication breakdown between sites.

  • Source ESXi host /var/run/log/hbrsrv.logs may show the below messages:

    2026-01-23T05:58:43.707Z Wa(180) vmkwarning: cpu1:5600300 WARNING: Hbr: 571: Connection failed to 10.###.##.### (groupID=GID-d6####44-####-####-####-a8#####8
    ##a5): Timeout
    2026-01-23T05:58:43.707Z Wa(180) vmkwarning: cpu1:5600300 WARNING: Hbr: 5362: Failed to establish connection to [10.###.##.###]:31031 (groupID=GID-d6####44-
    ####-4##a-####-a8#######a5): Timeout

Environment

VMware Live Site Recovery 9.x

Cause

The error is triggered by a communication failure between the Source ESXi hosts and the Target Infrastructure. While the error message points to a certificate verification failure, the root cause is typically a network timeout preventing the SSL handshake from completing.

For Enhanced Replication to function successfully, the following network requirements must be met:

The Source ESXi hosts must communicate with the Target vSphere Replication Appliance over port 31031.

The Source ESXi hosts must also have port 32032 open to the Target ESXi hosts (and vice versa) to facilitate the Host-Based Replication (HBR) traffic.

Validation:

From the Source ESXi host, test the connection to the Target VR Appliance:

[root@esx#####:~ ] nc -zv 10.###.##.### 31031
nc: connect to 10.###.##.### port 31031 (tcp) failed: Connection timed out

From the Source ESXi host, test the connection to the Target ESXi host:

[root@esx#####:~ ] nc -zv 10.###.##.### 32032
nc: connect to 10.###.##.### port 31031 (tcp): Connection success

 

Resolution

To resolve this issue, you must ensure that the network infrastructure allows traffic on all mandatory vSphere Replication ports.

1. Ensure that TCP port 31031 is open from the Source ESXi hosts to the Target vSphere Replication Appliance. This is required for the initial handshake and control plane of Enhanced Replication.

2. Ensure port TCP port 32032 is open from the Source ESXi hosts to the Target ESXi hosts.

Additional Information

You can refer: 

Enhanced Replication Mappings Show Error: Fault occurred while performing health check. Details: 'Connect: certificate verify failed (SSL routines)'

Enhanced Replication Mappings Error: Fault occurred while performing health check. Details: 'Connect: certificate verify failed (SSL routines). 

Powered by Wolken Software