vLCM Remediation failing on multiple ESX hosts - Error: “The cluster needs remediation to finish enabling these Solutions: VMware NSX-T 4.2.1.0.0"
search cancel

vLCM Remediation failing on multiple ESX hosts - Error: “The cluster needs remediation to finish enabling these Solutions: VMware NSX-T 4.2.1.0.0"

book

Article ID: 432119

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware NSX

Issue/Introduction

  • NSX manager showing errors “Failed to install software on host. Remediating hosts through vLCM failed with error: VLCM Service is not running on ComputeManager. Retry Transport Node profile realization at cluster level.”

  • vCenter server cluster "Updates" compliance page showing the error.

  • Followed KBs How to disable SHA1 TLS Ciphers - Managing TLS Profiles in vCenter 8.0 U3 and Disable/Enable NSX-T Manager Ciphers or TLS Settings to change VCSA TSL cipher profile to “NIST_2024” and disabled the below cipher suites on NSX manager.

    • TLS_RSA_WITH_AES_128_GCM_SHA256

    • TLS_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

 

After making changes to the cipher configurations seeing errors in logs.

  • VCSA
    • /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log

2026-02-27T07:34:24.794Z info vmware-vum-server[10326] [Originator@6876 sub=EHP opID=34c0ad69-dd71-409a-bd89-129713872588] Calling NSX-T API /api/v1/vlcm/esx/health/host/perspectives/initialization/status?action=check (/external-tp/http1/<vcsa_fqdn>/443/CB1639E393111E3B58598236754F8508F760B635/api/v1/vlcm/esx/health/host/perspectives/initialization/status?action=check).

2026-02-27T07:34:24.799Z error vmware-vum-server[10326] [Originator@6876 sub=EHP opID=34c0ad69-dd71-409a-bd89-129713872588] Response from localhost/external-tp/http1/ord01m01vinsx01b.rapidscale.local/443/CB1639E393111E3B58598236754F8508F760B635/api/v1/vlcm/esx/health/host/perspectives/initialization/status?action=check: HTTP Status:503 'Service Unavailable'

2026-02-27T07:34:24.799Z warning vmware-vum-server[10326] [Originator@6876 sub=EHP opID=34c0ad69-dd71-409a-bd89-129713872588] Retrying on next NSX-T node due to HTTP 503.

2026-02-27T07:34:24.799Z error vmware-vum-server[10326] [Originator@6876 sub=EHP opID=34c0ad69-dd71-409a-bd89-129713872588] No reachable NSX-T node found.

    • /var/log/vmware/rhttpproxy/rhttpproxy.log

2026-02-23T10:56:53.943Z warning rhttpproxy[02726] [Originator@6876 sub=Default] TLS 1.3 is not allowed, ignoring this configuration

 

  • NSX manager
    • /var/log/proxy/envoy.log

      [2026-02-27T07:34:24.795Z][85679][debug][conn_handler] [source/server/active_tcp_listener.cc:138] [C4256] new connection from <VCSA_IP>:45332

      [2026-02-27T07:34:24.795Z][85679][info][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:225] [C4256] TLS error: 268435640:SSL routines:OPENSSL_internal:NO_SHARED_CIPHER

      [2026-02-27T07:34:24.795Z][85679][debug][connection] [source/common/network/connection_impl.cc:249] [C4256] closing socket: 0

      [2026-02-27T07:34:24.795Z][85679][info][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:225] [C4256] TLS error: 268435640:SSL routines:OPENSSL_internal:NO_SHARED_CIPHER

      [2026-02-27T07:34:24.795Z][85679][debug][conn_handler] [source/server/active_stream_listener_base.cc:120] [C4256] adding to cleanup list

Cause

Ciphers were disabled on the NSX manager that are required by VCSA's "NIST_2024" cipher profile. If at least one required cipher is not enabled the communication between VC and NSX manager will fail. This causes the vLCM to be unable to install the necessary NSX packages for patching (e.g., VMware NSX-T 4.2.1.0.0) to install on ESX hosts.

Resolution

Review NIST_2024 profile requirements and make sure to set (enable/disable) TSL ciphers for NSX manager appropriately to match the TLS communication requirements and the need of your environment. Make sure at least one cipher suite is enabled that both VCSA and NSX manager can communicate over.

  • For quickest resolution to get communication working again between VCSA and NSX manager, change VCSA TLS cipher profile back to “COMPATIBLE” and re-enable the changed NSX manager cipher suites.

Additional Information

The best practice as documented for VC and NSX TLS ciphers is still to use the default “COMPATIBLE” TLS cipher profile for vCenter to make sure all endpoints are accessible.

Powered by Wolken Software