Unable to access vCenter after updating firewall rules from VAMI page
search cancel

Unable to access vCenter after updating firewall rules from VAMI page

book

Article ID: 315447

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

This KB addresses issues that arise when a "block all ingress traffic" rule is mistakenly added during the creation or edition of vCenter firewall rule. 

Symptoms:

Customer attempts to make firewall changes from vCenter VAMI ends up losing access to vCenter. 



This could happen if customer entered wrong IP, block complete subnet range, or mistakenly enable the iptables service from the command line.

vCenter services will be up and running but vCenter UI will not be accessible. 

Resolution

To restore/fix the firewall changes

Identify the problem:

  • From the vCenter server console run:
iptables -nL | less 
  • This will give the list of firewall rules




  • As we can see the highlighted one is the entry customer added from VAMI.
  • NOTE: If you see the following, the iptables service has been erroneously enabled 

 

To resolve if the iptables service has been enabled:

  • Run the following command:
chkconfig iptables off

 

To resolve if a bad firewall rule was added by mistake:

  • Export the firewall rule using:
iptables-save > /var/tmp/iptables.rules.default
  • Take backup of exported file: 
cp /var/tmp/iptables.rules.default /root/var/tmp/iptables.rules.default.backup
  • Edit the file, and check the entire file and each line for the rules specified and then remove the entry as specified above and save the file:
vi /var/tmp/iptables.rules.default
  • less the file again and make sure that the entry is gone.
  • Now restore the firewall rule by:
iptables-restore < /var/tmp/ iptables.rules.default
  • Run 1st cmd (iptables -nL ) again and make sure the rule is not there:
iptables -nL | less 
  • Once done, wait for a minute or so and we should be start seeing traffic to vCenter IP/FQDN.