You open Lifecycle Management → Download Bundles in SDDC Manager (or VCF Operations Fleet Management) to pull the VCF 9.0.2 bundles, and instead of progressing, components such as vCenter, NSX and VCF Operations flip to Failed while others sit at Not downloaded — even though the depot reports Connection Active. In almost every case this is a depot authorization or configuration problem, not a broken network. Below is how to read the signal and fix each root cause.
dl.broadcom.com:443 over the network (L3/L4). It does not confirm that your download token is valid or entitled (L7/application layer). A 403 download failure on an “active” depot is the classic fingerprint of a token or entitlement issue.
What the failure looks like
In the SDDC Manager UI the bundle rows show a red Failed chip. In the logs (/var/log/vmware/vcf/lcm/lcm-debug.log) you will see entries similar to:
BundleDownloadFailureException: Error [403] downloading bundle [/COMP/...]
from dl.broadcom.com:443. Please retry download.vCenter bundles can also surface as HTTPException: 500 Internal Server Error. A generic “Retrieving SDDC Manager upgrade bundles failed. A problem has occurred on the server.” points instead at local metadata corruption (Fix E).
Root causes at a glance
| Cause | Signature | Go to |
|---|---|---|
| Invalid or expired download token | 403 / 401, depot still “active” | Fix A |
| Site ID not entitled for that version | 403 “Not Entitled” / Cloudflare 1101 | Fix B |
| Online depot HTTPS disabled | 400 Bad Request, “Internal error while validating credentials” | Fix C |
| Proxy misconfigured / NTLMv2 | Connection or auth errors only when a proxy is in path | Fix D |
| Corrupt Product Version Catalog | Generic server error, downloads fail, depot looks healthy | Fix E |
| No internet to the depot at all | Cannot fetch index file from depot | Fix F |
Step-by-step troubleshooting
- Read the HTTP code in the log. The number in brackets (
403,401,400,500) tells you which fix applies — do not guess from the UI chip. - Test the token directly in a browser (see the token test table below). This isolates a token/entitlement problem from anything inside SDDC Manager in under a minute.
- Confirm the depot mode (online vs offline) and that HTTPS is enabled for online depots.
- Apply the matching fix below, then return to Lifecycle Management and retry only the failed bundles.
Fix A — Regenerate and update the download token (403 / 401)
The token configured in SDDC Manager is invalid or expired. Generate a fresh one from an entitled Site ID and re-apply it:
- Log in to the Broadcom Support Portal and, under your entitled Site ID, generate a new VCF download token (Quick Links → Generate Token).
- In SDDC Manager, go to Administration → Depot Settings → Update Credentials, paste the new token and save.
- Wait for the connection re-test to pass, then retry the failed downloads.
Fix B — Confirm Site ID entitlement (403 “Not Entitled”)
If the token is syntactically valid but downloads still 403, the Site ID likely lacks an active entitlement for the exact product/version. For example, a contract with only vSphere 8.x keys cannot pull 7.x, and a Site ID without a VCF 9 entitlement cannot pull 9.0.2 bundles.
- In My Entitlements, look up the Site ID tied to the token.
- Expand the product, open Licensing, and confirm an active contract exists for the version you are downloading.
- If it is missing or on the wrong version, fix the license assignment (or use a different entitled Site ID) and regenerate the token.
Fix C — Enable HTTPS for the online depot (400 / validation error)
If configuring the online depot fails with “Failed to connect to VMware depot with the provided user credentials. Cause: Internal error while validating credentials” while the token is valid, the LCM config has HTTPS turned off. The log shows Got Http error[400] fetching productVersionCatalog.json.
- Edit
/opt/vmware/vcf/lcm/lcm-app/conf/application-prod.propertiesand set:lcm.depot.adapter.httpsEnabled=true - Restart LCM:
systemctl restart lcm - Reconfigure the depot and retry.
Fix D — Check the proxy path
If a proxy sits between SDDC Manager and the internet, verify the proxy host, port and credentials are correct and reachable. Note that VCF does not support proxy servers using NTLMv2 authentication — if that is your proxy, you must use a supported auth method or bypass the proxy for dl.broadcom.com.
Fix E — Regenerate a corrupt Product Version Catalog
If the symptom is the generic “A problem has occurred on the server” message with a healthy-looking depot, SDDC Manager may have a corrupt productVersionCatalog.json — common after switching depots or interrupting downloads. SDDC Manager does not self-repair it, but deleting it forces a clean regeneration.
- SSH to SDDC Manager:
ssh vcf@<sddc-manager-fqdn> - Remove the catalog file:
rm -f /nfs/vmware/vcf/nfs-mount/metadata/productVersionCatalog.json - In VCF Operations → Fleet Management → Lifecycle, select your VCF instance to trigger a refresh. Within a few minutes the catalog regenerates and bundles reappear.
productVersionCatalog.sig and vcfManifest.json remain, and the catalog is rebuilt from the depot. This aligns with how SDDC Manager manages its own metadata.Fix F — Offline depot / Download Tool fallback
If the appliance genuinely cannot reach an online depot (air-gapped, restricted egress, or “unable to fetch index file from the depot”), use the VMware Cloud Foundation Download Tool on an internet-connected host to pull the binaries, then host them on an offline depot for SDDC Manager. Confirm firewall egress to dl.broadcom.com:443 before assuming the depot itself is at fault.
Token test URLs & status codes
Paste a depot URL into a browser with your token substituted to see the raw return code. This is the fastest way to separate a token problem from an SDDC Manager problem:
| Return code | Meaning |
|---|---|
| 200 | Token works — problem is elsewhere (depot config, proxy, catalog) |
| 401 | Token expired — check the Site ID has an active contract |
| 403 | Invalid token, bad path, or Not Entitled — see Fix A / Fix B |
| 404 | File not found in bucket — verify the URL/path |
| 500 | Connected to CDN but blob download failed — check entitlement, then open a ticket |
| 1101 | Cloudflare error — also indicates an entitlement issue |
When to open a Broadcom ticket
If the browser token test returns 200 for all four reference URLs (ESXi 7.x/8.x and vCenter 7.x/8.x) but SDDC Manager still fails, or you get a persistent 500 on a confirmed-entitled token, the issue is server-side — raise a support request from the Broadcom portal with the lcm-debug.log excerpt and the exact HTTP code.
Quick recap
- 403 / 401 → token or entitlement (Fix A/B) — the most common cause.
- 400 + validation error → enable depot HTTPS (Fix C).
- Generic server error → regenerate the Product Version Catalog (Fix E).
- Always trust the HTTP code in the log over the “Depot Connection Active” banner.
References
- Broadcom KB 420374 — Bundle Downloads Fail with 403 Forbidden from dl.broadcom.com:443
- Broadcom KB 415485 — Online depot configuration fails: “Failed to connect to VMware depot with the provided user credentials”
- Broadcom KB 395322 — VCF Authenticated Downloads Token Troubleshooting Guide
- Broadcom KB 399583 — Products and versions are not listed in VMware Cloud Foundation
- Broadcom TechDocs — Download VCF 9.0 Upgrade Bundles (online/offline depot) and the VCF Download Tool
Part of the VMware Cloud Foundation 9 Complete Guide series.
About The Author
