Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configuring HA after upgrading to vCenter Server 5.0 fails with the error: Cannot complete the configuration of the vSphere HA agent on the host. Misconfiguration in the host setup (2006729)

Symptoms

After upgrading to vCenter Server 5.0, you experience these symptoms:

  • Unable to configure VMware High Availability (HA).
  • The HA agent on one or more hosts in the cluster fails to configure properly.
  • Configuring HA fails.
  • The HA agent for this host reports this error:

    The vSphere HA agent is not reachable from vCenter Server vSphere HA cannot be configured on this host because it's SSL thumbprint has not been verified. Check that vCenter server is configured to verify SSL thumbprints and that the thumbprint for this host has been verified There was an error unconfiguring the vSphere HA agent on this host. To solve this problem, connect the host to a vCenter Server of version 5.0 or later

  • You see the error:

Cannot complete the configuration of the vSphere HA agent on the host Misconfiguration in the host setup.

  • In the /var/log/fdm.log file of one or more hosts in the cluster, you see entries similar to:

    YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::VerifyHost] Thumbprint mismatch(99:6E:8A:D3:1D:F2:98:0F:54:4A:60:9D:AC:35:03:BC:AD:B9:85:95
    != 3C:D0:0C:3E:D0:DD:78:17:CE:AB:F4:E3:55:AB:E1:A5:75:18:1F:3A) for host host-47 - failing verify
    YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::InvalidCredentialsIP::SetBadIP] Blacklisting ip address 172.23.3.14 for 60 seconds
    YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::AddBadIP] IP 172.23.3.14 marked bad for reason Invalid Credentials
    YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::ConnectToMaster] Master @ host-47 has invalid credentials - closing connection YYYY-MM-DDT19:09:27.461Z [66797B90 verbose 'Cluster' opID=SWI-965357c] [ClusterManagerImpl::AddBadIP] IP 172.23.3.14 marked bad for reason Unreachable IP
    YYYY-MM-DDT19:09:28.461Z [66797B90 verbose 'Cluster' opID=SWI-965357c] [ClusterManagerImpl::IsBadIP] 172.23.3.14 is bad ip
    YYYY-MM-DDT19:09:28.482Z [66797B90 verbose 'Cluster' opID=SWI-965357c] [ClusterManagerImpl::RemoveBadIPType] IP 172.23.3.14 no longer bad for reason Unreachable IP
    ClusterManagerImpl::InvalidCredentialsIP::IsBadIP] 10.10.10.224 has been in bad ip map long enough so declaring good

    YYYY-MM-DDT22:36:21.354Z [FFFD3B90 verbose 'Cluster'] ICMP reply for non-existent pinger 3 (id=isolationAddress)

    YYYY-MM-DDT22:36:21.354Z [26620B90 info 'Election' opID=SWI-ed338c8] ClusterElection::StartupStateFunc: Found node with better goodness @ 10.1.1.224
    YYYY-MM-DDT22:36:21.354Z [26620B90 verbose 'Cluster' opID=SWI-ed338c8] [ClusterManagerImpl::IsBadIP] 10.0.17.134 is bad ip
    YYYY-MM-DDT22:36:21.354Z [26620B90 verbose 'Cluster' opID=SWI-ed338c8] [ClusterManagerImpl::InvalidCredentialsIP::IsBadIP] 10.1.1.134 has been in bad ip map long enough so declaring good

Cause

This issue can occur if:
  • SSL Certificate checking is disabled in vCenter Server. SSL Certificate checking is now a requirement for HA in vCenter Server 5.0.
  • SSL thumbprints do not match the SSL keys shown

    Note: If this is the cause of your issue, you do not need to follow steps 5-7 in the resolution.

Resolution

This issue is resolved in vCenter Server 5.0 Update 1. For more information, see the Resolved issues section of the VMware vCenter Server Release Notes.
 
To download vCenter Server 5.0 Update 1, see the VMware Download Center.

To resolve this issue when you do not want to upgrade, enable SSL Certificate checking.
 
To enable SSL Certificate checking:
  1. In the vSphere Client, click Administration > vCenter Server Settings. The vCenter Server Settings dialog appears.
  2. If the vCenter Server system is a part of a connected group, select the server you want to configure from the Current vCenter Server drop-down.
  3. In the settings list, select SSL Settings.
  4. Select vCenter requires verified host SSL certificates. If there are hosts that require manual validation, these hosts appear in the host list at the bottom of the dialog.
  5. Determine the host thumbprint for each host that requires validation.

    1. Log in to the direct console (DCUI).
    2. Select View Support Information in the System Customization menu. The thumbprint is displayed in the right-side column.

      Notes:

      • If you do not have access to the direct console, you connect a vSphere Client that has not installed the hosts certificate directly to the host. When it prompts you for certificate confirmation, select View Certificate > Details, then scroll down to thumbprint.
      • If your issue is occurring because the SSL Thumbprints do not match, when you click OK all listed hosts disconnect from vCenter Server. Reconnect each host (this requires the root password) to refresh the SSL thumbprints.

  6. Compare the thumbprint you obtained from the host with the thumbprint listed in the vCenter Server Settings dialog.
  7. If the thumbprints match, select the check box for the host.
  8. Click OK. Hosts that you have not selected are now disconnected.

Additional Information

Note: This issue may also occur if proxy ARP is enabled on the ESX/ESXi management VLAN. To resolve this issue, disable Proxy ARP. For more information, see Troubleshooting network connection issues caused by proxy ARP (1005965).

Tags

ha-agent-failure  ha-fails  configuring-ha-fails

See Also

Update History

06/11/2012 - Added additional symptoms 07/26/2012 - Added issue resolved VMware vCenter with link to release notes and download center. 09/12/2013 - Added vCenter Server 5.5 to Product Versions.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 23 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 23 Ratings
Actions
KB: