I have a VCSA running 7.0.2 that will not let me add any additional ESXi hosts running 7.0U2. I receive error "A general system error occurred: Host management agents not reachable on <Host IP>" for task Add standalone host.
-VCSA and hosts are on same subnet. Network connectivity between VCSA and hosts is fine. No firewall between the two.
-Management agents (hostd and vpxa) on ESXi host are started and running fine.
-Have proper ESXi license added to VCSA and assigned to host during the add host wizard.
-VCSA add host wizard finds the host SSL certificate but will not finish adding host.
-Add host wizard immediately goes to 80% and then fails.
-Hosts are DellEMC PowerEdge R6525 servers with the current custom DellEMC ESXi image installed.
Furthermore, I have a separate VCSA server that the same hosts in question can be added to fine. So it must be the first VCSA mentioned that is the issue. What VCSA specifics can prevent a host from being added? SSL configs? Security settings? Policy settings? HA? vSAN? is there something in the VCSA CLI I can look for specifically? I've combed the vSphere web console and nothing sticks out. It's got to be some security configuration made in the VCSA shell for a STIG we've applied that is preventing hosts from being added or something similar. I need these hosts to be managed by this specific VCSA that I can't add them to.
I found the solution. In vSphere under Configure->Advanced Settings, the Advanced vCenter Server Setting vpxd.certmgmt.mode was configured as custom. I changed it to thumbprint and it let me add the ESXi hosts. I believe our intent is to manage our own certificates on the ESXi hosts, but I'll need check with my certificate admin to see how we are doing it.
If this value is set to custom does that mean that a custom certificate must be installed on the ESXi host for it to be managed by vSphere? Likewise if it is set to Thumbprint, will vSphere add the SSL thumbprint and manage the host that way?
Hi
have you check ti kb?
https://kb.vmware.com/s/article/1003409
It's a list of troubleshootings on esxi
Yes I've checked all the ESXi troubleshooting articles. Thank you for your response.
I don't think the issues lies with the ESXi host. The ESXi host can join a different VCSA (all on the same subnet) correctly. I'm looking for something on the troublesome VCSA that would be preventing a host from joining with the error "A general system error occurred: Host management agents not reachable on <IP Address of Host>" What would cause the VCSA to be unable to reach the host management agents when the host management agents are running and communication between the two is fine?
I found the solution. In vSphere under Configure->Advanced Settings, the Advanced vCenter Server Setting vpxd.certmgmt.mode was configured as custom. I changed it to thumbprint and it let me add the ESXi hosts. I believe our intent is to manage our own certificates on the ESXi hosts, but I'll need check with my certificate admin to see how we are doing it.
If this value is set to custom does that mean that a custom certificate must be installed on the ESXi host for it to be managed by vSphere? Likewise if it is set to Thumbprint, will vSphere add the SSL thumbprint and manage the host that way?
If not using custom certs ; you should be using vmca certificate mode and not thumbprint. I believe there is still an issue which needs investigation . Thumbprint mode was for 5.5 versions and if used , few vCenter services may not work correctly .
You have no idea how much time I have wasted on this. The VMWare KB had set me in wrong direction of user authentication issue. Thank you so much. God bless you.
I have an idea on how much time you wasted 😛 probably around the same amount of time I wasted. Glad the solution helped you. Take care.
Yes, absolutely bless you!