vLCM pre-check fails with "Failed to run health checks for NSX-T on '<ClusterName>' or '<ESXi hostname>'"
search cancel

vLCM pre-check fails with "Failed to run health checks for NSX-T on '<ClusterName>' or '<ESXi hostname>'"

book

Article ID: 430928

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware NSX

Issue/Introduction

When performing an ESXi patch or update pre-check using vSphere Lifecycle Manager (vLCM) on an image-based cluster, the operation fails with the following error:

"Failed to run health checks for NSX-T on <Clustername> or <ESXi hostname>."

This issue occurs when hosts are prepared for NSX-T and the Compute Manager shows "Registered" or "Registered with Errors" with the connectivity between vCenter and NSX Manager reported as UP, but the NSX service account permissions were not created properly on vCenter.

The vCenter UI displays a malformed permission entry as NULL\nsxt_<Compute_Manager_UUID> under the Permissions tab.

Environment

VMware Cloud Foundation 
VMware NSX 4.x
VMware vCenter Server
vSphere Lifecycle Manager (vLCM)

Cause

During Compute Manager registration, the NSX Manager creates a service account on vCenter and then attempts to grant the required permissions to that account. If a transient network issue (e.g., connection timeout) occurs during the permission-granting step, the service account is created on vCenter but the permission assignment fails or completes partially. This results in a malformed NULL\nsxt_<UUID> permission entry on vCenter, which prevents the NSX service account from functioning correctly for vLCM health checks.

Resolution

  1. Remove the malformed service account and permission from vCenter

    - In the vCenter UI, navigate to the Permissions tab where the NULL\nsxt_<Compute_Manager_UUID> entry is displayed.
    - Delete the NULL\nsxt_<Compute_Manager_UUID> permission entry.
    - Delete the corresponding NSX service account from vCenter.

  2. Re-create the service account with proper permissions:

    - For NSX 4.2.x and later: Edit the Compute Manager entry in the NSX UI and re-enter the credentials. This triggers the service account re-creation with the required permissions.

  3. Verify: After re-creation, confirm that the Permissions tab on vCenter shows the correct entry (e.g., vsphere.local\nsxt_<UUID>) and that the Compute Manager connection status is UP. Retry the vLCM pre-check.

Additional Information

Related existing KB articles:
ESXi Hosts Patch Remediation Failed with "Failed to run health checks for NSX-T on 'cluster'" when Compute Manager connection is down. 
Upload NSX-LCP bundle failed: Permission to perform this operation was denied

Powered by Wolken Software