• Worker nodes are stuck in Provisioned state. 
• Control Plane nodes may show as "Running", however actions via kubectl fail with error connection refused or no route to host.
• The API server is unreachable from the control plane node. 
  nc -zv <API_SERVER_IP> 6443

vSphere Kubernetes Service

Network firewall rules are blocking communication between the nodes and the Kubernetes API endpoint (typically port 6443) or the vCenter Server (port 443).

Review and update the firewall restrictions on the NSX side to permit bidirectional traffic for the required Kubernetes and LoadBalancer ports.