Firewall Rules Blocking VMware vSphere Update Manager Communication Leading to ESXi Upgrade Failures
book
Article ID: 379774
calendar_today
Updated On:
Products
VMware vSphere ESXiVMware vCenter Server
Issue/Introduction
Customers experience issues upgrading ESXi hosts when attempting to enable or install High Availability (HA) components on a cluster.
Symptoms include the message "Host Status is Unknown. The host could not be reached and its image compliance could not be checked."
HA component installation failures occur with error messages such as "The setting is invalid for cluster DMZ" and "Installing HA components failed on the cluster: domain-<id>."
Environment
vSphere 7.x
Cause
The firewall rules for the VMware vSphere Update Manager were incorrectly configured, blocking communication between ESXi hosts and the Update Manager.
This led to download failures of required VIBs and unsuccessful completion of HA configuration.
Resolution
Ensure that the firewall ruleset for the Update Manager is enabled.
Verify that traffic from ESXi hosts can reach the Update Manager without being blocked by the firewall.
Re-attempt to enable High Availability (HA) on the cluster after ensuring proper communication between ESXi hosts and the Update Manager.
Steps:
Open the firewall ruleset on ESXi:
Navigate to the "Hosts & Clusters" view in the vCenter Server Web Client.
Select the ESXi Host in question.
In the Security Profile tab, ensure that the "vCenter Update Manager" rules are enabled in the Outgoing Ports.