- It seems surprising to me that you have two
listener "tcp"
blocks. Yes, I do see you’re using that to serve different TLS certificates on port 8200 vs. 9200, but Vault nodes do not talk to each other on their API port, except for the one narrow exception of during the initial join only to a new Raft cluster.
The actual “east-west” traffic in normal operation is flowing on port 8201.
No, you must absolutely not do that, as the Vault cluster_addr
must be unique per node, and route directly to a particular node.
Is the listed IP address correct for your nodes?
Are there firewalls that could be blocking connections between nodes?
Is the Vault server process on the destination node actually running at these times? If so, what is the destination Vault logging around this time?