Language :

Configuring HA after upgrading to vCenter Server 5.0 fails with the error: Cannot complete the configuration of the vSphere HA agent on the host. Misconfiguration in the host setup (2006729)

 Click here to view full document

After upgrading to VMware vCenter Server 5.0, you experience these symptoms:

  • Unable to configure VMware High Availability (HA).
  • The HA agent on one or more hosts in the cluster fails to configure properly.
  • Configuring HA fails.
  • The HA agent for this host reports this error:

    The vSphere HA agent is not reachable from vCenter Server vSphere HA cannot be configured on this host because it's SSL thumbprint has not been verified. Check that vCenter server is configured to verify SSL thumbprints and that the thumbprint for this host has been verified There was an error unconfiguring the vSphere HA agent on this host. To solve this problem, connect the host to a vCenter Server of version 5.0 or later

  • You see the error:

Cannot complete the configuration of the vSphere HA agent on the host Misconfiguration in the host setup.

  • In the /var/log/fdm.log file of one or more hosts in the cluster, you see entries similar to:

    YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::VerifyHost] Thumbprint mismatch(99:6E:8A:D3:1D:F2:98:0F:54:4A:60:9D:AC:35:03:BC:AD:B9:85:95
    != 3C:D0:0C:3E:D0:DD:78:17:CE:AB:F4:E3:55:AB:E1:A5:75:18:1F:3A) for host host-47 - failing verify
    YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::InvalidCredentialsIP::SetBadIP] Blacklisting ip address xx.xx.xx.xx for 60 seconds
    YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::AddBadIP] IP marked bad for reason Invalid Credentials
    YYYY-MM-DDT15:46:48.993-04:00 [F7757B90 verbose 'Cluster' opID=SWI-d31768f2] [ClusterManagerImpl::ConnectToMaster] Master @ host-47 has invalid credentials - closing connection YYYY-MM-DDT19:09:27.461Z [66797B90 verbose 'Cluster' opID=SWI-965357c] [ClusterManagerImpl::AddBadIP] IP marked bad for reason Unreachable IP
    YYYY-MM-DDT19:09:28.461Z [66797B90 verbose 'Cluster' opID=SWI-965357c] [ClusterManagerImpl::IsBadIP] is bad ip
    YYYY-MM-DDT19:09:28.482Z [66797B90 verbose 'Cluster' opID=SWI-965357c] [ClusterManagerImpl::RemoveBadIPType] IP no longer bad for reason Unreachable IP
    ClusterManagerImpl::InvalidCredentialsIP::IsBadIP] has been in bad ip map long enough so declaring good

    YYYY-MM-DDT22:36:21.354Z [FFFD3B90 verbose 'Cluster'] ICMP reply for non-existent pinger 3 (id=isolationAddress)

    YYYY-MM-DDT22:36:21.354Z [26620B90 info 'Election' opID=SWI-ed338c8] ClusterElection::StartupStateFunc: Found node with better goodness @ xx.xx.xx.xx
    YYYY-MM-DDT22:36:21.354Z [26620B90 verbose 'Cluster' opID=SWI-ed338c8] [ClusterManagerImpl::IsBadIP] is bad ip
    YYYY-MM-DDT22:36:21.354Z [26620B90 verbose 'Cluster' opID=SWI-ed338c8] [ClusterManagerImpl::InvalidCredentialsIP::IsBadIP] xx.xx.xx.xx has been in bad ip map long enough so declaring good

This issue occurs if:
  • SSL Certificate checking is disabled in vCenter Server. SSL Certificate checking is now a requirement for HA in vCenter Server 5.0.
  • SSL thumbprints do not match the SSL keys shown.

    Note: If this is the cause of your issue, you do not need to perform steps 5-7 in the resolution.

This issue is resolved in vCenter Server 5.0 Update 1, available at VMware Downloads. For more information, see the Resolved issues section of the VMware vCenter Server Release Notes.
To resolve this issue when you do not want to upgrade, enable SSL Certificate checking.
To enable SSL Certificate checking:
  1. In the vSphere Client, click Administration > vCenter Server Settings. The vCenter Server Settings dialog appears.
  2. If the vCenter Server system is a part of a connected group, select the server you want to configure from the Current vCenter Server dropdown.
  3. In the settings list, select SSL Settings.
  4. Select vCenter requires verified host SSL certificates. If there are hosts that require manual validation, these hosts appear in the host list at the bottom of the dialog.
  5. Determine the host thumbprint for each host that requires validation.

    1. Log in to the direct console (DCUI).
    2. Select View Support Information in the System Customization menu. The thumbprint is displayed in the right pane.


      • If you do not have access to the direct console, you connect a vSphere Client that has not installed the hosts certificate directly to the host. When it prompts you for certificate confirmation, select View Certificate > Details, then scroll down to thumbprint.
      • If your issue is occurring because the SSL Thumbprints do not match, when you click OK all listed hosts disconnect from vCenter Server. Reconnect each host (this requires the root password) to refresh the SSL thumbprints.

  6. Compare the thumbprint you obtained from the host with the thumbprint listed in the vCenter Server Settings dialog.
  7. If the thumbprints match, select the check box for the host.
  8. Click OK. Hosts that you have not selected are now disconnected.
06/11/2012 - Added additional symptoms
07/26/2012 - Added issue resolved VMware vCenter with link to release notes and download center.
Chris Little
2/18/2016 8:00 AM
Data Conversion