In avSAN Stretched Cluster, communication between thewitness nodeanddata nodesrequires several specific TCP/UDP ports. The ability to successfully execute:

vmkping -I -s 1472 -d

confirms that:

L2/L3 connectivity is present

MTU is correctly configured

ICMP traffic flows without fragmentation

However,vmkping alone does not verify vSAN control-plane communication.

For the vSAN Witness to properly form a cluster,TCP port 12321must be openbidirectionallybetween:

Witness → Data nodes

Data nodes → Witness

Port12321is required for:

vSAN cluster membership

Witness traffic

vSAN object health/state synchronization

If this port is blocked by firewall policy or misconfigured network ACLs, the nodes can ping each other, butvSAN witness traffic will fail, preventing the stretched cluster from forming.

Why the other options are incorrect:

B. Port 443— Required for management, not cluster formation.

C. No VMs in cluster— Hasno impacton witness formation.

D. Jumbo frames not enabled— Already ruled out by the successful 1472-byte vmkping with DF bit.