"All hosts contributing stats" is failing for ESXi on ESA Cluster

search cancel

"All hosts contributing stats" is failing for ESXi on ESA Cluster

book

Article ID: 374286

calendar_today

Updated On:

Products

VMware vSAN

Issue/Introduction

VSAN Health Check "All hosts contributing stats" is failing on ESA clusters.

Environment

VMware vSAN 8.0

Cause

Prior to vSAN version 8.0 U2 the vSAN master host retrieves remote host stats via port 80 and from vSAN 8.0 U2 and later builds, port 443 is used.
If ESXi host firewall has blocked port 443 port (ruleset vSphereClient) for vSAN network. It does not populate the vSAN IPs under allowed IP list.
The below output shows the vSAN vmkernel ports are not added under vSphere client allowed IP list.

[root@EX2:~] esxcli network firewall ruleset allowedip list
Ruleset Allowed IP Addresses
--------------------------- --------------------
sshServer All
updateManager All
faultTolerance All
webAccess All
vMotion All
vSphereClient 19#.16#.#.###, 19#.16#.#.###, 19#.16#.#.###, 19#.16#.#.###, 19#.16#.#.### >>>>>>>>> Missing vSAN vmk IPs <<<<<

So the vSAN master host cannot retrieve remote stats from other hosts.

Resolution

Manually update the vSAN IP into the vSphereClient allowed IP list. You can use the below command to update IPs.

esxcli network firewall ruleset allowedip add

Check the Allowed IP list again using the command below.

esxcli network firewall ruleset allowedip list

Output should be as below.

[root@EX2:~] esxcli network firewall ruleset allowedip list
Ruleset Allowed IP Addresses
--------------------------- --------------------
sshServer All

webAccess All
vMotion All
vSphereClient 19#.16#.#.###, 19#.16#.#.###, 19#.16#.#.###, 19#.16#.#.###, 19#.16#.#.###, 10.2#.##.1, 10.2#.##.2, 10.2#.##.3

Additional Information

By default, the IPs of all hosts in one cluster are in the allow list.

Feedback

thumb_up Yes

thumb_down No