vSAN & KMS environment Error

B055 · ‎06-15-2021

Hi community members,

If any one knows the solution for this please let me know.

Initially i created the vsan cluster environment with 3 ESXi hosts(VMware ESXi, 7.0.0, 16324942) and vCenter ( VMware-VCSA-all-7.0.0-16189094) with KMS and enabled encryption on vSAN, which was working fine with no errors.

Then i updated the vcenter to

7.0.2
Build:17958471

Since the time i have updated the vcenter there's this vSAN cluster configuration inconsistency error has started showing up.

I tried to fix it with the option "fix inconsistency problem" under vsan's monitoring skyline health the fixing process run's fine and finishes with no error's in task but the problem & the error remains same.

i checked the logs on vcenter which shows as below.

2021-06-15T07:49:38.690Z error vpxd[30761] [Originator@6876 sub=CryptoManager] Failed to refresh key provider status cache on [vim.HostSystem:host-34,10.x.x.x]:
--> "com.vmware.vapi.std.errors.error": {
--> "error_type": {
--> "com.vmware.vapi.std.errors.error": {
--> "error_type": {
2021-06-15T07:49:38.830Z error vpxd[30761] [Originator@6876 sub=CryptoManager] Failed to refresh key provider status cache on [vim.HostSystem:host-28,10.x.x.x]:
--> "com.vmware.vapi.std.errors.error": {
--> "error_type": {
--> "com.vmware.vapi.std.errors.error": {
--> "error_type": {
2021-06-15T07:49:38.957Z error vpxd[30761] [Originator@6876 sub=CryptoManager] Failed to refresh key provider status cache on [vim.HostSystem:host-31,10.x.x.x]:
--> "com.vmware.vapi.std.errors.error": {
--> "error_type": {

But when i checked the ESXi it shows below on all 2 hosts

[root@ESXi1:~] esxcli vsan encryption info get
Attribute Value
------------------- -----
eraseDisksBeforeUse False
dekGenerationId 1
enabled True
hostKeyId 2902d60726864bcb9303b46ca9779331f8e797f907e641af9c5a174fc468201e
kekId db359c76a86446549421617c2391d954add309943b8e41e1983b8d85b3ae31b0
changing False
[root@ESXi1:~]

i am not able to understand when the kek is already available on ESXi then why the error at vcenter and vsan might be showing.

If anyone knows please let me know.

Thanks

TheBobkin · ‎06-15-2021

@B055 , Similar to many other features in vSAN, vCenter is only required for configuration of encryption - the hosts may still have access to the KMS but vCenter does not (but validate this and don't reboot them until sure).

I would advise checking the common things that may break in such cases, cert chain validity and port are open and connectivity between vC and the KMS.

B055 · ‎06-15-2021

Hello TheBobkin

Thanks for reply,

it was working fine before updating ESXi and vcenter but after update this error started showing up the encryption is working fine and there is no problem in ESXi's rebooting, but then why this error might be showing is totally not understandable .

All

vSAN & KMS environment Error