Applying the ESXi host profile fails with the error: Error while setting firewall configuration for vsanvp
search cancel

Applying the ESXi host profile fails with the error: Error while setting firewall configuration for vsanvp

book

Article ID: 338025

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction


  • Cannot apply the ESXi host profile
  • Applying the ESXi host profile fails with the error:

    Error while setting firewall configuration for vsanvp
  • In hostd.log file, located at /var/log/hostd.log, you see entries similar to:

    vim.profile.host.ProfileManager.applyHostConfiguration: vim.fault.HostConfigFailed:
    --> Result:
    --> (vim.fault.HostConfigFailed) {
    --> dynamicType = <unset>,
    --> faultCause = (vmodl.MethodFault) null,
    --> failure = (vmodl.MethodFault) [
    --> (vmodl.MethodFault) {
    --> dynamicType = <unset>,
    --> faultCause = (vmodl.MethodFault) null,
    --> faultMessage = (vmodl.LocalizableMessage) [
    --> (vmodl.LocalizableMessage) {
    --> dynamicType = <unset>,
    --> key = "com.vmware.vim.profile.applyHostConfigError.Firewall.UpdateRuleError",
    --> arg = (vmodl.KeyAnyValue) [
    --> (vmodl.KeyAnyValue) {
    --> dynamicType = <unset>,
    --> key = "rulesetId",
    --> value = "vsanvp",
    --> }
    --> ],
    --> message = "Error while setting firewall configuration for vsanvp",
  • Disabling vsanvp firewall rule from the vSphere Client or Web Client reports this error:

    Call "HostFirewallSystem.DisableRuleset" for object "firewallSystem-27" on vCenter Server "<VC_FQDN>" failed.


Environment

VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.0

Cause

This issue occurs if the service.xml file (located at /etc/vmware/firewall/service.xml) has required tag for vsanvp set to true. This indicates that the firewall rule is required to enable regardless of the service state. For example:

<service id='0035'>
<id>vsanvp</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<port type='dst'>8080</port>
<flags>-m state --state NEW</flags>
</rule>
<rule id='0001'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type='dst'>8080</port>
</rule>
<enabled>true</enabled>
<required>true</required>
</service>

Note: Time out feature keeps the existing vSAN connection alive regardless of the vSAN Vendor Provider (vSANVP) service state.

Resolution

This behavior is by design.

Firewall ruleset for SSH server is set as required (<required>true</required>). As a result, the firewall cannot be disabled.
In this way when the service times out, the port is still opened and existing connections is still alive.


Additional Information



Powered by Wolken Software