In a vSphere environment, an ESXi host may remain in a persistent "HA Agent Unreachable" state. Attempts to reconfigure HA at the host or cluster level fail with the following symptoms:

vSphere Client UI Errors:

• vCenter >Tasks shows "A general system error occurred: Installing HA components failed on the cluster: domain-####", "vSphere HA agent unreachable" or "vSphere HA agent not reachable" for one or more ESXi hosts
• Host > Summary > displays "Host TPM attestation alarm" is active on the affected host.

When these symptoms occur concurrently, the following logs confirm a desynchronization between the host’s security state and management agents:

vpxd.log shows the inability to verify host integrity.

/var/log/vmware/vpxd.log:

warning vpxd[06091] [Originator@6876 sub=Attestation opID=...] Failed to update integrity report; [vim.HostSystem:host-####, [HOSTNAME]], 24TpmVerificationException(error: 0x1, internal error: 6)

fdm log shows the HA agent (fdm) failing to establish a secure connection.

/var/log/fdm.log:

YYYY-MM-DD HH:MM:SS warning fdm[11432557] [Originator@6876 sub=IO.Connection opID=...] Failed to SSL handshake; SSL(>), e: 336134278(certificate verify failed), duration: 15msec

vmkernel.log indicates the low-level TPM attestation failure during or after boot.

/var/log/vmkernel..log:

vmkernel: WARNING: VMB_TPM: 201: Trusted launch failed.vmkernel: VMB_TPM: 1494: Found TXT error, will do unmeasured launch.

Note: Standard remediation steps, such as restarting hostd, vpxa, or the vmware-fdm services, do not resolve the issue. The issue typically occurs following maintenance activities, host reboots, or site evacuations in a Stretched Cluster environment.

VMware vCenter Server 

VMware vSphere ESXi 

This issue is caused by a host state desynchronization following maintenance activities (e.g., site evacuations in stretched clusters).

The active TPM attestation alarm indicates that the host's security state is inconsistent, which prevents vCenter Server from verifying the host's integrity. Because the host is not "trusted," vCenter is blocked from successfully pushing or initializing the Fault Domain Manager (FDM) VIB. This results in a persistent "Agent Unreachable" state, as the management agents (hostd/vpxa) are unable to complete the secure handshake required for HA configuration.

To resolve this state and allow HA to configure successfully, the host's security and management states must be reset.

1. Maintenance Mode: Evacuate all the VMs from the affected host and place the host in maintenance mode. For more information refer Place a Host in Maintenance Mode
2. Perform a Graceful Reboot: Reboot the affected ESXi host. A power cycle re-evaluates the host's security state (TPM) during boot and restarts the ESXi management agents (hostd and vpxa) in a clean state.
3. Verify TPM Status: Once the host is back online, ensure the "Host TPM attestation alarm" has cleared.
   Note: If Secure Boot is not enabled but a TPM 2.0 chip is present, the alarm may trigger automatically. In this specific scenario, refer to vSphere Client Displays "Host TPM attestation alarm" for ESXi Hosts to manually suppress the alarm if it persists despite a successful boot.
4. Reconfigure HA: Right-click the affected host in the vSphere Client and select Reconfigure for vSphere HA. The task should now complete successfully.

Troubleshooting vSphere HA Agent Unreachable state

 vCenter shows attestation status failed with "internal failure"

HA fails with "Applying HA VIBs on the cluster encountered a failure"