https://community.cloudera.com/t5/Support-Questions/Zookeeper-Service-showing-quot-bad-health-quot-after/m-p/414182#M254758 <P>Cloudera Support helped me resolved this issue.</P><DIV><DIV><SPAN>*</SPAN><SPAN> The "Bad Health" status displayed in Cloudera Manager was a false-positive monitoring alert.</SPAN></DIV><DIV><SPAN>*</SPAN><SPAN> The Cloudera Manager Service Monitor (SMON) was failing its secure TLS connection handshakes to ZooKeeper due to strict endpoint identification checks introduced in modern Java runtimes (Java 17). Because SMON couldn't pull health metrics, it flagged ZooKeeper as down.</SPAN></DIV><DIV><SPAN>*</SPAN><SPAN> The solution is to configure the JVM argument inside the SMON configuration "Java Configuration Options for Service Monitor (firehose_java_opts)" to bypass the strict certificate hostname checks: </SPAN><SPAN>`-Djdk.rmi.ssl.client.enableEndpointIdentification=false`</SPAN><SPAN>.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>This cluster is 7.1.9sp1 with 7.13.1 CM. Strangely, another cluster, which has the same cluster version, CM version, and Java version, had no such issue. It was set up six months ago.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Thanks for all the responses.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Best regards,</SPAN></DIV></DIV> Tue, 02 Jun 2026 17:40:01 GMT Seaport 2026-06-02T17:40:01Z https://community.cloudera.com/t5/Support-Questions/Zookeeper-Service-showing-quot-bad-health-quot-after/m-p/414149#M254670 <P>I just finished installing a new cluster but failed to start the zookeeper service. Each instance started but had the "bad health" flag. The zookeeper log on node 3 showed this error repeatedly.&nbsp;</P><P>++++<BR />Cannot open channel to 1 at election address node1/61.62.63.1:4181<BR />java.net.ConnectException: Connection refused<BR />++++</P><P>On node 3, the connection to node 1 zookeeper port showed no issue.</P><P>$ nc -zv node1 4181<BR />Ncat: Version 7.92 ( <A href="https://nmap.org/ncat" target="_blank">https://nmap.org/ncat</A> )<BR />Ncat: Connected to 61.62.63.1:4181.<BR />Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.</P><P>On node1, the zookeeper port is open too<BR />$ ss -tulnp | grep 4181<BR />tcp LISTEN 0 50 61.62.63.1:4181 0.0.0.0:*</P><P>The private cloud base cluster is 7.1.9 sp1.</P><P>Thank you.</P><P>Regards,</P> Mon, 01 Jun 2026 17:15:18 GMT https://community.cloudera.com/t5/Support-Questions/Zookeeper-Service-showing-quot-bad-health-quot-after/m-p/414149#M254670 Seaport 2026-06-01T17:15:18Z https://community.cloudera.com/t5/Support-Questions/Zookeeper-Service-showing-quot-bad-health-quot-after/m-p/414152#M254734 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/45630">@Seaport</a>&nbsp;Hello team&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/47030">@pajoshi</a>&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/80101">@shubham_sharma</a>&nbsp;<BR />Do you have any insights here? Thanks!</P> Mon, 01 Jun 2026 21:54:23 GMT https://community.cloudera.com/t5/Support-Questions/Zookeeper-Service-showing-quot-bad-health-quot-after/m-p/414152#M254734 DianaTorres 2026-06-01T21:54:23Z https://community.cloudera.com/t5/Support-Questions/Zookeeper-Service-showing-quot-bad-health-quot-after/m-p/414157#M254742 <P>Hello&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/45630">@Seaport</a>&nbsp;,</P><P>Can you check if the reverse DNS lookup is working fine from each zookeeper host. Also worth checking the zoo.cfg file under the latest /var/run/cloudera-scm-agent/process/ xxxx-zookeeper-server/ directory to check how the servers and ports are configured.</P> Tue, 02 Jun 2026 07:38:39 GMT https://community.cloudera.com/t5/Support-Questions/Zookeeper-Service-showing-quot-bad-health-quot-after/m-p/414157#M254742 rki_ 2026-06-02T07:38:39Z https://community.cloudera.com/t5/Support-Questions/Zookeeper-Service-showing-quot-bad-health-quot-after/m-p/414182#M254758 <P>Cloudera Support helped me resolved this issue.</P><DIV><DIV><SPAN>*</SPAN><SPAN> The "Bad Health" status displayed in Cloudera Manager was a false-positive monitoring alert.</SPAN></DIV><DIV><SPAN>*</SPAN><SPAN> The Cloudera Manager Service Monitor (SMON) was failing its secure TLS connection handshakes to ZooKeeper due to strict endpoint identification checks introduced in modern Java runtimes (Java 17). Because SMON couldn't pull health metrics, it flagged ZooKeeper as down.</SPAN></DIV><DIV><SPAN>*</SPAN><SPAN> The solution is to configure the JVM argument inside the SMON configuration "Java Configuration Options for Service Monitor (firehose_java_opts)" to bypass the strict certificate hostname checks: </SPAN><SPAN>`-Djdk.rmi.ssl.client.enableEndpointIdentification=false`</SPAN><SPAN>.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>This cluster is 7.1.9sp1 with 7.13.1 CM. Strangely, another cluster, which has the same cluster version, CM version, and Java version, had no such issue. It was set up six months ago.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Thanks for all the responses.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Best regards,</SPAN></DIV></DIV> Tue, 02 Jun 2026 17:40:01 GMT https://community.cloudera.com/t5/Support-Questions/Zookeeper-Service-showing-quot-bad-health-quot-after/m-p/414182#M254758 Seaport 2026-06-02T17:40:01Z