Deployment of Virtual Container Host fails with "failed to validate VCH: Firewall must permit dst 2377/tcp outbound to the VCH management interface"
search cancel

Deployment of Virtual Container Host fails with "failed to validate VCH: Firewall must permit dst 2377/tcp outbound to the VCH management interface"

book

Article ID: 324443

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
Deployment of Virtual Container Host fails with "failed to validate VCH: Firewall must permit dst 2377/tcp outbound to the VCH management interface"

Environment

VMware vSphere Integrated Containers 1.x

Cause

  • ESXi hosts communicate with the Virtual Container Hosts through port 2377 via Serial Over LAN. For deployment of a VCH to succeed, port 2377 must be open for outgoing connections on all ESXi hosts before you run vic-machine create.
  • Opening port 2377 for outgoing connections on ESXi hosts opens port 2377 for inbound connections on the VCHs.

Resolution

  • The vic-machine utility includes an update firewall command, that you can use to modify the firewall on a standalone ESXi host or all of the ESXi hosts in a cluster.
  • You use the --allow and --deny flags to enable and disable a firewall rule named vSPC. When enabled, the vSPC rule allows outbound TCP traffic from the target host or hosts. If you disable the rule, you must configure the firewall via another method to allow outbound connections on port 2377 over TCP. If you do not enable the rule or configure the firewall, vSphere Integrated Containers Engine does not function, and you cannot deploy VCHs.
  • The vic-machine create command does not modify the firewall. Run vic-machine update firewall --allow before you run vic-machine create.
 
  1. Open a terminal on the system on which you downloaded and unpacked the vSphere Integrated Containers Engine binary bundle.
  2. Navigate to the directory that contains the vic-machine utility:

  3. Run the vic-machine update firewall command.

    To open the appropriate ports on all of the hosts in a vCenter Server cluster, run the following command:

    $ vic-machine-operating_system update firewall
--target vcenter_server_address/datacenter
--user "[email protected]"
--password vcenter_server_password
--compute-resource cluster_name
--thumbprint thumbprint 
--allow


Additional Information

Link : https://vmware.github.io/vic-product/assets/files/html/1.5/vic_vsphere_admin/open_ports_on_hosts.html

Powered by Wolken Software