vSAN Skyline health reports alarm "vSAN cluster configuration consistency" with error : HostEncryptionConfigurationAbortedWithIntermediateEncryptionConfigurationLeft
search cancel

vSAN Skyline health reports alarm "vSAN cluster configuration consistency" with error : HostEncryptionConfigurationAbortedWithIntermediateEncryptionConfigurationLeft

book

Article ID: 432511

calendar_today

Updated On:

Products

VMware vSAN

Issue/Introduction

Symptoms:

  • vSAN Skyline health reports below alarms on the "vCenter UI  > vSAN cluster > Monitor > Skyline health".

  • Further overview of the cluster configuration consistency alarm shows "Host encryption configuration aborted with intermediate encryption configuration left" error as below:

Additional error which can be seen with this issue

  • Host key for host core dump encryption is inconsistent with cluster configuration
  • The host deep rekey has not finished 
  • The configuration of erasing disks before use on the host is inconsistent with cluster configuration 
  • Object encryption state is inconsistent with the cluster configuration 
  • The disk deep rekey has not finished 
  • Disk is not encrypted, but encryption is enabled on cluster 

 

Above errors can be viewed  in  "vCenter "var/log/vmware/vsan-health/vmware-vsan-health-summary-result.log"
 
2026-03-03T13:34:37.703Z INFO vsan-mgmt[3604765] [VsanHealthSummaryLogUtil::PrintHealthResult opID=##d9] Cluster ##  Overall Health : red
   Group cluster health : red
      Test consistentconfig health : red
         Issues: Host  Disk  Issue  Recommendation
                 (Host-42388, '', HostEncryptionConfigurationAbortedWithIntermediateEncryptionConfigurationLeft., Click'RemediateInconsistentConfiguration'),
                 (Host-42393, '', HostEncryptionConfigurationAbortedWithIntermediateEncryptionConfigurationLeft., Click'RemediateInconsistentConfiguration'),
                 (Host-42416, '', HostEncryptionConfigurationAbortedWithIntermediateEncryptionConfigurationLeft., Click'RemediateInconsistentConfiguration'),
 

Environment

VMware vSAN 8.x

Cause

vSAN cluster configuration consistency'  alarms are reported due to inconsistency in the health ‘changing’ flag during the encryption.
 
This alarm is triggered when the vSAN health field 'Changing' state has not been "checked" or the "changingstatenotfinished" and marks as encryption issues before the the encryption configuration has been completed.
 
 
 
Usually , vSAN health field 'changing' is defined by vSAN mgmt and is used during encryption configuration. vSAN mgmt will set the cluster and host 'changing' field as True when starts to reconfigure vSAN encryption and will set the 'changing' field as False when encryption configuring has been done.
 
  •  We see below messages in vCenter "var/log/vmware/vsan-health/vmware-vsan-health-service.log" ,  vSAN health "Changing" field state checks are done while the encryption configuration has not been completed . This misleads the "changing" field during the encryption.
2026-03-03T13:34:36.632Z WARNING vsan-mgmt[3604765] [VsanHealthEncUtil::_CheckChangingHealth opID=##d9] Host: ##.corp.##.com has not finished encryption configuration
2026-03-03T13:34:36.632Z WARNING vsan-mgmt[3604765] [VsanHealthEncUtil::_AggregateEncryptionConfigHealth opID=##d9] Host: ##.corp.###.com has encryptionIssues: ['changingstatenotfinished']  >>> "Change" field health has not been checked.
2026-03-03T13:34:36.632Z WARNING vsan-mgmt[3604765] [VsanHealthEncUtil::_CheckChangingHealth opID=608dffd9] Host:##.corp.###.com has not finished encryption configuration
2026-03-03T13:34:36.632Z WARNING vsan-mgmt[3604765] [VsanHealthEncUtil::_AggregateEncryptionConfigHealth opID=##d9] Host: ##.corp.###.com has encryptionIssues: ['changingstatenotfinished']
2026-03-03T13:34:36.632Z WARNING vsan-mgmt[3604765] [VsanHealthEncUtil::_CheckChangingHealth opID=##d9] Host: ##.corp.###.com has not finished encryption configuration
2026-03-03T13:34:36.632Z WARNING vsan-mgmt[3604765] [VsanHealthEncUtil::_AggregateEncryptionConfigHealth opID=##d9] Host: ##corp.###.com has encryptionIssues: ['changingstatenotfinished']
2026-03-03T13:34:36.633Z INFO vsan-mgmt[3604765] [VsanHealthEncUtil::_ConvertTimeFromString opID=##d9] _ConvertTimeFromString cannot handle empty time string
2026-03-03T13:34:36.633Z ERROR vsan-mgmt[3604765] [VsanHealthEncUtil::GenerateClusterEncryptionHealthSummary opID=##d9] Encryption health check result:
configHealth: red,
  •  In"/var/run/log/vsanmgmt.log" we see that Cluster encryption config "change" field shows "True"
overallHealth: red
2026-03-03T13:34:36.634Z INFO vsan-mgmt[3604765] [VsanHealthEncUtil::GenerateClusterEncryptionHealthSummary opID=608dffd9] Encryption health check inputs:
cluster: 'vim.ClusterComputeResource:domain-###81', cluster MoId: domain-###81,
clusterReconfigStatus.inClusterReconfig: False,
clusterReconfigStatus.inClusterDfc: False,
clusterReconfigStatus.dfcFinishedHosts: [],
clusterEncryptionConfig: {'enabled': True, 'kekId': '#######-####-####-####-############', 'dekGenerationId': 1, 'kmsProviderId': 'RI - KMS for vSAN Cluster', 'hostKeyId': '#######-####-####-####-############', 'changing': True, 'eraseDisksBeforeUse': True, 'kmipServers' 
 
 
 

Resolution

Please proceed with Remediation.

Navigate to "VC UI > vSAN cluster > Monitor > Skyline health > vSAN cluster configuration consistency > Click "Remediate inconsistent configuration" button to run the cluster configuration remediation action to fix the encryption configuration consistency issues.

Note: We suggest to run this during the off business hours when there is less load to avoid any issues.

Powered by Wolken Software