ESXi hosts within a cluster experience intermittent disconnections from the vCenter Server, frequently transitioning between "Not responding" and "Connected" states in the vSphere UI.

Symptoms:

• vMotion operations fail with the error: An error occurred while communicating with the remote host.

• The ESXi host certificate UI (Navigate to: ESXi host > Configure > System > Certificate) displays a blank page.

• Attempts to renew the ESXi host certificate fail with the error: A general system error occurred: Unable to get CSR from host.
  
  

vCenter:  /var/log/vmware/vpxd/vpxd.log

warning vpxd[2089317] [Originator@6876 sub=IO.Connection opID=HostSync-host-xxx-xxxxxx-WorkQueue-12112] Failed to SSL handshake; SSL(<io_obj p:0x00007f7d5009e730, h:104, <TCP '<vCenter_IP> : 46210'>, <TCP '<Host_IP> : 443'>>), e: 104(Connection reset by peer), duration: 219msec

ESXi Host:  /var/run/log/rhttpproxy.log

warning rhttpproxy[2105077] [Originator@6876 sub=IO.Connection] Failed to SSL handshake; SSL(<io_obj t:N7Vmacore6System19TCPSocketObjectAsioE, h:25, <TCP '<Host_IP> : 443'>, <TCP '<vCenter_IP> : 52744'>>), e: 104(Connection reset by peer), duration: 218msec
warning rhttpproxy[2105077] [Originator@6876 sub=RhttpProxy] SSL Handshake failed for stream ... N7Vmacore15SystemExceptionE(Connection reset by peer: The connection is terminated by the remote end with a reset packet. Usually, this is a sign of a network problem, timeout, or service overload.)

• VMware vCenter Server

• VMware ESXi

Communication between the vCenter Server and the ESXi hosts on port 443 is being intercepted and disrupted by an intermediary network device.

Packet captures confirm that TCP connection resets (RST) are injected into the network path, causing the SSL handshakes to fail.

This behavior is characteristic of network firewalls, Intrusion Prevention Systems (IPS), or breach detection systems actively dropping management traffic.

To resolve this issue, uninterrupted communication must be restored on the management ports.

1. Engage the network security or firewall team to investigate the network path between the vCenter Server and the affected ESXi hosts.

2. Review firewall rules, Intrusion Prevention System (IPS) logs, or breach detection systems for intercepted traffic on port 443 between the vCenter Server and ESXi hosts.

3. Configure the security devices to mark this specific vCenter-to-ESXi management traffic as a false positive and allow it without interception or deep packet inspection.

Once the network intervention is removed, the SSL handshakes will complete successfully, stabilizing the host connection state, restoring vMotion capabilities, and enabling certificate management.