The error "vSphere HA agent could not open the firewall ports" occurs when configuring vSphere HA
search cancel

The error "vSphere HA agent could not open the firewall ports" occurs when configuring vSphere HA

book

Article ID: 416898

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

  • The following vSphere HA agent error occurs when enabling vSphere HA or adding an ESXi host to a vSphere HA cluster:

    vSphere HA agent could not open the firewall ports

  • The hostd.log of ESXi displays the following entries.

    YYYY-MM-DDTHH:MM:SS.###Z info hostd[#######] [Originator@6876 sub=Vimsvc.TaskManager opID=clusterElection.cpp:####-########-#### user=vpxuser] Task Completed : haTask-ha-host-vim.host.FirewallSystem.enableRuleset-######### Status error
    YYYY-MM-DDTHH:MM:SS.###Z info hostd[#######] [Originator@6876 sub=Solo.Vmomi opID=clusterElection.cpp:####-########-#### user=vpxuser] Activation [N5Vmomi10ActivationE:0x000000########] : Invoke done [enableRuleset] on [vim.host.FirewallSystem:firewallSystem]
    YYYY-MM-DDTHH:MM:SS.###Z verbose hostd[#######] [Originator@6876 sub=Solo.Vmomi opID=clusterElection.cpp:####-########-#### user=vpxuser] Arg id:
    --> "fdm"
    YYYY-MM-DDTHH:MM:SS.###Z info hostd[#######] [Originator@6876 sub=Solo.Vmomi opID=clusterElection.cpp:####-########-#### user=vpxuser] Throw vim.fault.NotFound
    YYYY-MM-DDTHH:MM:SS.###Z info hostd[#######] [Originator@6876 sub=Solo.Vmomi opID=clusterElection.cpp:####-########-#### user=vpxuser] Result:
    --> (vim.fault.NotFound) {
    -->    msg = "",
    --> }

  • The fdm.log of ESXi displays the following entries.

    YYYY-MM-DDTHH:MM:SS.###Z error fdm[########] [Originator@6876 sub=HalCnx opID=clusterElection.cpp:####-########] Error enabling firewall ruleset: N3Vim5Fault8NotFound9ExceptionE(Fault cause: vim.fault.NotFound
    --> )

Environment

VMware vCenter Server 7.0
VMware vCenter Server 8.0

Cause

If the "fdm" ruleset is not added to the ESXi host firewall rules, vSphere HA configuration may fail.

Resolution

As a workaround, refresh the ESXi firewall.

  1. SSH to the target ESXi host and login as the root user.

  2. Run the following command to verify if "fdm" is included (in the ruleset list):

    esxcli network firewall ruleset list | grep fdm

  3. Run the following command to refresh the firewall:

    esxcli network firewall refresh

  4. Run the following command again to verify if "fdm" is included:

    esxcli network firewall ruleset list | grep fdm

  5. Disable/enable vSphere HA on the cluster to which the target ESXi host.
Powered by Wolken Software