The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Configuring HA after upgrading to vCenter Server 5.0 fails with the error: Cannot complete the configuration of the vSphere HA agent on the host. Misconfiguration in the host setup (2006729)
After upgrading to VMware vCenter Server 5.0, you experience these symptoms:
- Unable to configure VMware High Availability (HA).
- The HA agent on one or more hosts in the cluster fails to configure properly.
Configuring HA fails.
- The HA agent for this host reports this error:
The vSphere HA agent is not reachable from vCenter Server vSphere HA cannot be configured on this host because it's SSL thumbprint has not been verified. Check that vCenter server is configured to verify SSL thumbprints and that the thumbprint for this host has been verified There was an error unconfiguring the vSphere HA agent on this host. To solve this problem, connect the host to a vCenter Server of version 5.0 or later
You see the error:
Cannot complete the configuration of the vSphere HA agent on the host Misconfiguration in the host setup.
- In the /var/log/fdm.log file of one or more hosts in the cluster, you see entries similar to:
YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::VerifyHost] Thumbprint mismatch(99:6E:8A:D3:1D:F2:98:0F:54:4A:60:9D:AC:35:03:BC:AD:B9:85:95
!= 3C:D0:0C:3E:D0:DD:78:17:CE:AB:F4:E3:55:AB:E1:A5:75:18:1F:3A) for host host-47 - failing verify
YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::InvalidCredentialsIP::SetBadIP] Blacklisting ip address 172.23.3.14 for 60 seconds
YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::AddBadIP] IP 172.23.3.14 marked bad for reason Invalid Credentials
YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::ConnectToMaster] Master @ host-47 has invalid credentials - closing connection YYYY-MM-DDT19:09:27.461Z [66797B90 verbose 'Cluster' opID=SWI-965357c] [ClusterManagerImpl::AddBadIP] IP 172.23.3.14 marked bad for reason Unreachable IP
YYYY-MM-DDT19:09:28.461Z [66797B90 verbose 'Cluster' opID=SWI-965357c] [ClusterManagerImpl::IsBadIP] 172.23.3.14 is bad ip
YYYY-MM-DDT19:09:28.482Z [66797B90 verbose 'Cluster' opID=SWI-965357c] [ClusterManagerImpl::RemoveBadIPType] IP 172.23.3.14 no longer bad for reason Unreachable IP
ClusterManagerImpl::InvalidCredentialsIP::IsBadIP] 10.10.10.224 has been in bad ip map long enough so declaring good
YYYY-MM-DDT22:36:21.354Z [FFFD3B90 verbose 'Cluster'] ICMP reply for non-existent pinger 3 (id=isolationAddress)
YYYY-MM-DDT22:36:21.354Z [26620B90 info 'Election' opID=SWI-ed338c8] ClusterElection::StartupStateFunc: Found node with better goodness @ 10.1.1.224
YYYY-MM-DDT22:36:21.354Z [26620B90 verbose 'Cluster' opID=SWI-ed338c8] [ClusterManagerImpl::IsBadIP] 10.0.17.134 is bad ip
YYYY-MM-DDT22:36:21.354Z [26620B90 verbose 'Cluster' opID=SWI-ed338c8] [ClusterManagerImpl::InvalidCredentialsIP::IsBadIP] 10.1.1.134 has been in bad ip map long enough so declaring good
This issue occurs if:
- SSL Certificate checking is disabled in vCenter Server. SSL Certificate checking is now a requirement for HA in vCenter Server 5.0.
- SSL thumbprints do not match the SSL keys shown.
Note: If this is the cause of your issue, you do not need to perform steps 5-7 in the resolution.
This issue is resolved in vCenter Server 5.0 Update 1, available at VMware Downloads. For more information, see the Resolved issues section of the VMware vCenter Server Release Notes.
To resolve this issue when you do not want to upgrade, enable SSL Certificate checking.
To enable SSL Certificate checking:
- In the vSphere Client, click Administration > vCenter Server Settings. The vCenter Server Settings dialog appears.
- If the vCenter Server system is a part of a connected group, select the server you want to configure from the Current vCenter Server dropdown.
- In the settings list, select SSL Settings.
- Select vCenter requires verified host SSL certificates. If there are hosts that require manual validation, these hosts appear in the host list at the bottom of the dialog.
- Determine the host thumbprint for each host that requires validation.
- Log in to the direct console (DCUI).
- Select View Support Information in the System Customization menu. The thumbprint is displayed in the right pane.
- If you do not have access to the direct console, you connect a vSphere Client that has not installed the hosts certificate directly to the host. When it prompts you for certificate confirmation, select View Certificate > Details, then scroll down to thumbprint.
- If your issue is occurring because the SSL Thumbprints do not match, when you click OK all listed hosts disconnect from vCenter Server. Reconnect each host (this requires the root password) to refresh the SSL thumbprints.
- Compare the thumbprint you obtained from the host with the thumbprint listed in the vCenter Server Settings dialog.
- If the thumbprints match, select the check box for the host.
- Click OK. Hosts that you have not selected are now disconnected.
Note: This issue may also occur if proxy ARP is enabled on the ESX/ESXi management VLAN. To resolve this issue, disable Proxy ARP. For more information, see Troubleshooting network connection issues caused by proxy ARP (1005965).
- vCenter Server 5.0 へのアップグレード後、HA の構成が次のエラーで失敗する: "ホスト上で vSphere HA エージェントの構成を完了できません。 ホストの設定の構成に誤りがあります" (2000260)
- After upgrading to vSphere 5, you see the HA error: vSphere HA Cannot be configured on this host because its SSL thumbprint has not been verified (2006210)
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.