Unable to access vCenter after updating firewall rules from VAMI page
search cancel

Unable to access vCenter after updating firewall rules from VAMI page

book

Article ID: 315447

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

This KB addresses issues that arise when a "block all ingress traffic" rule is mistakenly added during the creation or edition of vCenter firewall rule. 

Symptoms:

Attempts to make firewall changes from vCenter VAMI result in losing access to vCenter



This could happen if an incorrect IP is entered, an entire subnet range is blocked, or the iptables service is mistakenly enabled from the command line

vCenter services will be up and running but vCenter UI will not be accessible. 

Resolution

To restore/fix the firewall changes

Identify the problem:

  • From the vCenter server console run:
iptables -nL | less 
  • This will give the list of firewall rules




  • As seen, the highlighted entry was added through VAMI.
  • NOTE: Per the following, the iptables service has been erroneously enabled 

 

To resolve if the iptables service has been enabled:

  • Run the following command:
chkconfig iptables off

 

To resolve if a bad firewall rule was added by mistake:

  • Export the firewall rule using:
iptables-save > /var/tmp/iptables.rules.default
  • Take backup of exported file: 
cp /var/tmp/iptables.rules.default /root/var/tmp/iptables.rules.default.backup
  • Edit the file, and check the entire file and each line for the rules specified and then remove the entry as specified above and save the file:
vi /var/tmp/iptables.rules.default
  • less the file again and make sure that the entry is gone.
  • Now restore the firewall rule by:
iptables-restore < /var/tmp/ iptables.rules.default
  • Run 1st cmd (iptables -nL ) again and make sure the rule is not there:
iptables -nL | less 
  • Once done, wait for a minute or so and we should be start seeing traffic to vCenter IP/FQDN.