@ChanceBingen - sounds good, ty!

One of the causes seems to be that ONTAP tools will extract all of the possible hostnames from the common name and list of all Subject Alternative Names (SANs) in vCenter's x509Certificate.

Can you check this and see if anything looks weird?

• From the ONTAP tools diag shell, fetch the vCenter certificate:
  $ echo | openssl s_client -connect vcenter:443 -showcerts | openssl x509 -text
• Check the vCenter certificates' Subject Alternative Name extension.  Are all of the entries correct?

Yes, all the entries are correct. Seeing all vCenters currently listed, including the two we are actively testing against.

Ok, good to know. One last question, does the certificate have an IP SAN? And if so, can you do a "ping -a" on it to see if it reverse resolves?

If that doesn't yield any results, we might need you to open a support case so that we can look at the error message in the logs.

No, the certificate only has DNS names currently listed in the SAN, no IPs. vCenter currently has both forward + reverse DNS entries. Am able to successfully ping both IP + DNS. Also, nslookups from diag shell also succeed for both forward and reverse lookups per the following KB:

https://kb.netapp.com/data-mgmt/OTV/VSC_Kbs/Insufficient_privilege_in_OTV_10_x_options

Out of curiosity, when you added the vCenter in the ONTAP tools manager UI, did you specify it by IP address or FQDN?

The reason I ask is that if you add vCenter by IP address, then it expects an IP SAN in the certificate.

FQDN. BTW - raised a NetApp Support case

Sounds good. We'll need to see what the specific error is in the log bundle, which I don't want to ask you to post here.