Port requirements for salt-minion/salt-master
search cancel

Port requirements for salt-minion/salt-master

book

Article ID: 403589

calendar_today

Updated On:

Products

VMware Aria Suite VMware SaltStack

Issue/Introduction

This document describes the port requirement for salt-minion and salt-master

Salt-minion fails to authenticate with the Salt-master, leading to connectivity failures. The minion logs (/var/log/salt/minion) may show error messages such as:

salt-minion[33448]: [ERROR ] Error while bringing up minion for multi-master. Is master at salt-master.fqdn responding? The error message was: Unable to sign_in to master: Attempt to authenticate with the salt master failed with timeout error

This document outlines the necessary network port requirements between salt-minion and salt-master to ensure proper communication.

Environment

Salt-Config 8.17

Cause

The communication failure between the salt-minion and salt-master typically occurs when required network ports are not open or are being blocked by a firewall or security group.

Key Points:

  • Salt follows a minion-initiated communication model.

  • The salt-minion initiates all communication to the salt-master.

  • The salt-master does not initiate connections to the minion.

If the required ports (such as TCP 4505 and 4506) are not open for inbound communication to the salt-master, authentication and command execution will fail, resulting in timeouts and errors.

Resolution

The Salt master-to-minion communication model only requires inbound connections into the Salt master. Connections are established from the minion and never from the master.
For detailed information on port requirements for salt, refer to salt project documentation https://docs.saltproject.io/salt/install-guide/en/latest/topics/before-you-start/check-network-ports.html

Suggested Changes

To resolve the issue:

  1. Ensure the following ports are open on the Salt-master:

    • TCP 4505 – Used for initial connection (publisher port)

    • TCP 4506 – Used for return communication and job management (request server port)

  2. Verify that no firewalls or security groups are blocking inbound traffic to these ports on the Salt-master.

  3. Confirm that the salt-master’s FQDN is resolvable and reachable from the salt-minion.

  4. Test connectivity from the minion using tools like telnet, nc, or curl to ensure the ports are reachable.

  5. If operating in a multi-master setup, ensure all masters are reachable and the same port rules apply to each master.

For further details on port requirements and network architecture, refer to the official Salt Project documentation: Salt Network Port Requirements

Powered by Wolken Software