Symptoms
HCX Site Pairing is down and it shows the error message below.Host name '<DEST_IP>' does not match the certificate subject provided by the peer (CN=hcx.sddc-xxx-xxx-xxx-xxx.vmwarevmc.com, O="VMware, Inc", L=Palo Alto, ST=California, C=US)
Cause
A certificate of the HCX Cloud deployed on VMC on AWS is replaced by the VMware team as needed so as not to expire. HCX Site Pairing will be disconnected if it’s configured with an IP address due to the certificate mismatch.
Impact / Risks
If the Site Pairing is down, configuration workflows will fail and no migrations can be scheduled from HCX Connector or source Cloud Manager. Existing Network Extension services will remain active indefinitely but no configuration changes can be made on those, except for "unstretch", which can be forced from the target HCX Cloud Manager's side.
Resolution
Add a Site Pairing configuring with FQDN in the “Remote HCX URL”. The existing Site Pairing will be overridden.
If your On-Premise network is connected with VMC via Direct Connect or VPN, configure the HCX FQDN resolution address with the Private IP in the VMC console.Set HCX FQDN Resolution Addresshttps://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-networking-security/GUID-BB1075F2-0D72-4A21-A8C4-24E45E37C8EF.html
Workaround
New certifications should be imported into the HCX connector with the steps below. This operation has to be done on your On-Premise side.1. Click vSphere Client > HCX > Infrastructure > Site Pairing2. Click the "EDIT CONNECTION" link in the existing Site Pairing.3. Fill in the "cloudadmin@vmc.local" password and click the “EDIT” button.4. Click the "IMPORT CERTIFICATE" button on the "Certificate Warning" popup.
