problem add host to Vcenter gets disconected after 30-60 sec

Site A:

Site B:

openvpn tun:

we have an offsite esxi host at site B so is connected over openvpn (Pfsense) all the hosts on site A and B can ping each other no connection problems over the vpn.  (ping time 2-3 ms)

When we add the host to vcenter it finds the host and adds it to the Vcenter and we can see the 2 vms for about 30-60 sec then it goes over to (disconnected) and then it changes its ip address from to on the vcenter page after that we cant get ti to connect to vcenter with out remove it from inventory and readd it and it stays for 30-60 sec.

if i go to the connection menu on the host B on vcenter and press connect it shows the wrong ip  added the host with

if i check the vpxa.cfg file on site B it has the right ip

grep -i serverIp /etc/vmware/vpxa/vpxa.cfg


If i try go to the host B from site A it works fine.  and if i check the VMkernel adapter it has ip

How can i fix this issue ?

And for info so did we have the remote host at local location connected to vcenter and it worked fine, but after moving it to Site B and changed ip it gets  disconnected after 30-60 sec

0 Kudos
3 Replies

Most likely your missing a open FW port. Only durring adding a Host  the vCenter use 22,443 to activate the VPXA on the Host and than it waits for that VPXA responding. Not sure which ports is used but my network guy figured it within seconds.  We managed a couple of Hosts at ROBO sites trough VPN.



0 Kudos

As far as i can see all ports are open in the firewall on both sites. if it is port 902 so is used  it is open from Site A to B. it i try telnet from site A to site B port 902

i get a connection


Connected to

Escape character is '^]'.

220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , VMXARGS supported, NFCSSL supported/t

if i do a nmap scan on from site A to site B

nmap -p 902

Starting Nmap 7.01 ( ) at 2019-03-17 23:02 CET

Nmap scan report for

Host is up (0.0028s latency).


902/tcp open  iss-realsecure


nmap -sU -p 902

Starting Nmap 7.01 ( ) at 2019-03-17 23:06 CET

Nmap scan report for

Host is up (0.0028s latency).


902/udp open|filtered ideafarm-door

So as far as i can see port 902 responds from site A to site B as open on tcp and upd and this is where the heartbeat comes from i think.

But for some reason the ip do change when adding host to in vcenter after it has added the esxi host.

If i look at the datastores to in vcenter for esxi cient at site B they have changed to ip from to and are showing as (inactive)

I guess it is some Nat problem i can't understand so is making the issue, but for me it looks like the vpn connections between site A and B works fine.

0 Kudos

Found a solution but this might not be the proper way to do it but it works. (Vcenter esxi host added over openvpn site to site connection Nat problem.)


In the Pfsense boxes, i put up 2 new outbound rule for the "vpn adapters" on both sites and told pfsense to nat source ip to Nat address.

For site A

interface vpn  Nat address

For Site B

interface vpn Nat address

Now when i add the host in vcenter and add the ip of the esxi host the ip stays after 60 seconds and do not change to the vpntun ip so is

Not sure if it matters but i did read on some forum somewhere that outbound ports had to be static and not random so i set pfsense not randomize outbound ports on the nated address. (Static)

If any have an input on how to do this the proper way I'm glad to hear about it.

0 Kudos