Identity deployment fails with TLS handshake timeout "LCMVSPHERECONFIG1000095" in VCF9
search cancel

Identity deployment fails with TLS handshake timeout "LCMVSPHERECONFIG1000095" in VCF9

book

Article ID: 428050

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

Deployment of Identity borker fails with the following error message:

Error Code: LCMVSPHERECONFIG1000095

Failed to create services platform cluster. Refer to /var/log/vrlcm/vmsp_bootstrap_xxxxx.log for more details. 
2025/12/01 07:42:09 Create namespace on VCF services platform cluster vcf-mgmt-ba58fa6f61 error: error validating "STDIN": error validating data: failed to download openapi: 
Get "https://#.#.#.#:6443/openapi/v2?timeout=32s": net/http: TLS handshake timeout; if you choose to ignore these errors, turn validation off with --validate=false ERR:DEPLOY0001 - Preparing VCF services platform cluster 
java.lang.Exception: Failed to create services platform cluster. Refer to /var/log/vrlcm/vmsp_bootstrap_xxxxx.log for more details.
2025/12/01 07:42:09 Create namespace on VCF services platform cluster vcf-mgmt-ba58fa6f61error: error validating "STDIN": error validating data: failed to download openapi:
Get "https://#.#.#.#:6443/openapi/v2?timeout=32s": net/http: TLS handshake timeout; if you choose to ignore these errors,
turn validation off with --validate=falseERR:DEPLOY0001 - Preparing VCF services platform cluster 
at com.vmware.vrealize.lcm.vmsp.plugin.tasks.BootstrapVMSPTask.execute(BootstrapVMSPTask.java:108)   at com.vmware.vrealize.lcm.platform.automata.service.Task.retry(Task.java:158) at com.vmware.vrealize.lcm.automata.core.TaskThread.run(TaskThread.java:60) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)  at java.base/java.lang.Thread.run(Unknown Source)

Environment

VCF9

Cause

It This is typically caused by an MTU mismatch in the network path. Large packets required for TLS handshakes or SSH exchanges are dropped if any segment of the network (specifically NSX Host Overlay networks) does not support the required MTU for encapsulated traffic. 

Resolution

Run the tracepath command to the Identity Broker IP indicated in the error:

tracepath <Identity_IP>

or

ping -M do -s <payload_size> <Identity_IP>

Review the output to identify the hop where the MTU size decreases unexpectedly.

Verify the MTU settings on network patch between Fleet Manager and Identity Server . Ensure they are consistent across all hosts in the cluster.

Confirm the physical switches are configured for Jumbo Frames (typically MTU 9000) to support the encapsulated overlay traffic. 

Additional Information

MTU guidance can be found in the 
https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/advanced-network-management/administration-guide/transport-zones-and-transport-nodes/mtu-guidance.html

 

Powered by Wolken Software