• You attempt to replace or upgrade a vSAN Witness Appliance from version 8.x to 9.x.
  
  
• You deploy a new version 9.x Witness Appliance with a temporary IP address and a different hostname, expecting the "Change Witness" wizard to automatically reassign the original IP and FQDN.
  
  
• The switch completes, but the appliance retains the temporary network settings instead of adopting the original ones.
  
  
• The vSAN Health score drops significantly due to cluster partitioning, network isolation, or firewall blocks on the new IP address.
  
  
• Communication issues occur between the data nodes and the new witness host.

VMware vSAN 8.x

VMware vSAN 9.x

This issue occurs because the Change Witness Host workflow in vCenter does not automatically reconfigure the network settings (IP address or FQDN) of the target appliance to match the host it is replacing.
If your environment uses strict firewall rules based on the original witness IP, the new appliance remains isolated because it is still using the temporary IP assigned during deployment.

Option 1: In-Place Upgrade (Recommended)

Upgrading the vSAN Cluster

Upgrading vSAN Witness Appliance Using CLI

Option 2: Replace Witness using the Original IP

If you prefer to deploy a fresh appliance, you must follow the process to reuse the original network identity: vSAN Stretch Clusters - How to Replace the Witness Appliance/Host