ESXi Firewall Rule configuration continuously updated on the hosts with "Operation 'enable' for rule set vsanmgmt-https-tunnel succeeded."
search cancel

ESXi Firewall Rule configuration continuously updated on the hosts with "Operation 'enable' for rule set vsanmgmt-https-tunnel succeeded."

book

Article ID: 403567

calendar_today

Updated On:

Products

VMware vSAN VMware vCenter Server 8.0

Issue/Introduction

The following event appears in the Host and Cluster view of the VC UI 

Firewall configuration has changed. Operation 'disable' for rule set vsanmgmt-https-tunnel succeeded.

Firewall configuration has changed. Operation 'enable' for rule set vsanmgmt-https-tunnel succeeded.

In vCenter  UI : Host and Cluster view > Select Cluster/ ESXi  > Monitor > Events 

The error will be found in VC logs in vCenter-extracted-logs/commands/journalctl_-b--{0-9].txt 

vpxd [] Event [4730183] [1-1] [vim.event.EventEx] [info] [] [xxx-xxx-comp_xxxx] [4730183] [Firewall configuration has changed. Operation 'enable' for rule set vsanmgmt-https-tunnel succeeded.]
vpxd [] Event [4730186] [1-1] [vim.event.EventEx] [info] [] [xxx-xxx-comp_xxxx] [4730186] [Firewall configuration has changed. Operation 'enable' for rule set vsanmgmt-https-tunnel succeeded.]
vpxd [] Event [4730189] [1-1] [vim.event.EventEx] [info] [] [xxx-xxx-comp_xxxx] [4730189] [Firewall configuration has changed. Operation 'enable' for rule set vsanmgmt-https-tunnel succeeded.]
vpxd [] Event [4730234] [1-1] [vim.event.EventEx] [info] [] [xxx-xxx-comp_xxxx] [4730234] [Firewall configuration has changed. Operation 'disable' for rule set vsanmgmt-https-tunnel succeeded.]
vpxd [] Event [4730237] [1-1] [vim.event.EventEx] [info] [] [xxx-xxx-comp_xxxx] [4730237] [Firewall configuration has changed. Operation 'disable' for rule set vsanmgmt-https-tunnel succeeded.]

Environment

  • VMware vCenter Server 7.x 
  • VMware vCenter Server 8.x

Cause

This issue happens if the service "vmware-vsan-health" ( formerly vsan-health ) is enabled on a vCenter where no vSAN cluster is enabled 

Resolution

The vsan health service ( formerly vsan-health ) can be stopped on the VC by logging as root on cli

service-control --stop vmware-vsan-health

Note  :

1. Ensure a full back up of the vCenter server is taken before activity 

2. The snapshot of the vCenter VM should be taken before activity  

Additional Information

The service "vmware-vsan-health" is default to automatic start when vCenter is rebooted. If you do not want to manually stop the service everytime the vCenter is rebooted, please change the "vmware-vsan-health" service Startup Type from "Automatic" to "Manual". Please see the following KB to change the vCenter server services start up type: https://knowledge.broadcom.com/external/article/390401/setting-vcenter-server-services-start-up.html 

Powered by Wolken Software