In a vSphere cluster, enabling or re configuring vSphere HA fails. The following symptoms may be observed:

• vSphere HA is not functional on the cluster.

• Following error message is displayed in the vSphere Client clueter's summary page:

  Cannot find vSphere HA master agent

• ESXi hosts shows general communication or configuration issues.
  
  
• The Fault Domain Manager (FDM) VIBs are missing or not installed on one or more ESXi hosts.

VMware vCenter Server

VMware ESXi

This issue occurs when network communication between ESXi hosts and vCenter Server on port 9087 is blocked.

• Port 9084 is used as a web server endpoint for VIB downloads.
• Port 9087 is used by the Image Upload Service during host upgrades and VIB installation.

If traffic on port 9087 is blocked:

• TLS handshake between ESXi and vCenter fails.
• File transfers (VIBs, ISOs) may hang or time out.
• Required FDM VIBs cannot be installed.
• vSphere HA configuration fails, resulting in the reported error.

Step 1: Verify connectivity on port 9087.

Run the following command from an affected ESXi host: openssl s_client -connect <vcenter-ip>:9087 -showcerts

Expected result:

• A certificate chain is returned.

If the issue exists:

• No certificate is returned, indicating blocked or interrupted connectivity.

Note: Run the same command on a known working ESXi host for comparison.

Step 2: Allow required network communication.

Engage network or firewall team to ensure that the Port 9087 (TCP) is open between the ESXi hosts and vCenter server.

Step 3: Validate Step 1 after allowing the ports to ensure communication.

1. Re-run the OpenSSL command to confirm certificate retrieval: openssl s_client -connect <vcenter-ip>:9087 -showcerts

2. Confirm successful TLS handshake.

Step 4: Reconfigure vSphere HA.

• Re-enable or reconfigure vSphere HA on the cluster.

• This issue is commonly observed in environments with strict firewall rules.
• Ensure all required vSphere ports are open as per VMware networking requirements.