Unable to add an ip address in a firewall ruleset via vCenter UI.
search cancel

Unable to add an ip address in a firewall ruleset via vCenter UI.

book

Article ID: 425976

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Adding IP address in firewall ruleset fails with Error: "Apply security profile failed! An error occurred during host configuration:. Operation failed, diagnostics report: Unable to complete Sysinfo operation. Please see the VMkernel log file for more details.: Already exists: VSI node (5006:)"

hostd.log:
-------------
YYYY-MM-DDTHH:MM:SS In(166) Hostd: [Originator@6876 sub=AdapterServer opID=esxcli-##-#### sid=5xxxxx2b user=root] AdapterServer caught exception; <<5#####2b-####-####-####-########b379, <TCP '127.0.0.1 : 83##'>, <TCP '127.0.0.1 : 37650'>>, ha-cli-handler-network-firewall-ruleset-allowedip, vim.EsxCLI.network.firewall.ruleset.allowedip.add, <vim.version.version9, internal, 5.5>, [N11HostdCommon18VmomiAdapterServer19ActivationResponderE:0x0000002a67298dd8]>, N5Vmomi18DynamicMethodFault9ExceptionE(Fault cause: vim.EsxCLI.CLIFault
YYYY-MM-DDTHH:MM:SS In(166) Hostd: --> )
YYYY-MM-DDTHH:MM:SS In(166) Hostd: --> [context]zKq7AVICAgAAAO6NbgELaG9zdGQAAOPBR2xpYnZtYWNvcmUuc28AAb/7IGxpYnZtb21pLnNvAAGDWA8C5GRhaG9zdGQAAouTrwK1lWIAHtMsAOD3LAA7SFIDUngAbGlicHRocmVhZC5zby4wAAQPMg9saWJjLnNvLjYA[/context]
YYYY-MM-DDTHH:MM:SS In(166) Hostd: [Originator@6876 sub=Solo.Vmomi opID=esxcli-##-#### sid=5#####2b user=root] Activation finished; <<5#####2b-####-####-####-########b379, <TCP '127.0.0.1 : 83##'>, <TCP '127.0.0.1 : 37650'>>, ha-cli-handler-network-firewall-ruleset-allowedip, vim.EsxCLI.network.firewall.ruleset.allowedip.add, <vim.version.version9, internal, 5.5>, [N11HostdCommon18VmomiAdapterServer19ActivationResponderE:0x000000######8dd8]>
YYYY-MM-DDTHH:MM:SS Db(167) Hostd: [Originator@6876 sub=Solo.Vmomi opID=esxcli-##-#### sid=5#####2b user=root] Arg ipaddress:
YYYY-MM-DDTHH:MM:SS Db(167) Hostd: --> "10.#.#.#"
YYYY-MM-DDTHH:MM:SS Db(167) Hostd: [Originator@6876 sub=Solo.Vmomi opID=es#cli-##-#### sid=5#####2b user=root] Arg rulesetid:
YYYY-MM-DDTHH:MM:SS Db(167) Hostd: --> "vSphereClient"
YYYY-MM-DDTHH:MM:SS In(166) Hostd: [Originator@6876 sub=Solo.Vmomi opID=es#cli-##-#### sid=5#####2b user=root] Throw vim.Es#CLI.CLIFault
YYYY-MM-DDTHH:MM:SS In(166) Hostd: [Originator@6876 sub=Solo.Vmomi opID=es#cli-##-#### sid=5#####2b user=root] Result:
YYYY-MM-DDTHH:MM:SS In(166) Hostd: --> (vim.Es#CLI.CLIFault) {
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    errMsg = (string) [
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->       "Couldn't update allowed ip list when allowed-all flag is true."
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    ],
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    msg = "",
YYYY-MM-DDTHH:MM:SS In(166) Hostd: --> }
YYYY-MM-DDTHH:MM:SS065Z Er(163) Hostd: [Originator@6876 sub=Hostsvc.FirewallSystemProvider opID=m1g4####-######-auto-1osm6-h5:######-d6-23-05ff sid=###### user=vp#user:VSPHERE.LOCAL\Administrator] UpdateAllowedHosts: Failed to set allowed hosts for specfied ruleset: N6VmkCtl3Lib16SysinfoE#ceptionE(Unable to complete Sysinfo operation.  Please see the VMkernel log file for more details.: Already e#ists: VSI node (5006:) )
YYYY-MM-DDTHH:MM:SS In(166) Hostd: [Originator@6876 sub=Hostsvc.VmkVprobSource] VmkVprobSource::Post event: (vim.event.EventE#) {
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    key = 42,
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    chainId = #########,
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    createdTime = "YYYY-MM-DDTHH:MM:SS",
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    userName = "",
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    host = (vim.event.HostEventArgument) {
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->       name = "<host_fqdn>",
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->       host = 'vim.HostSystem:ha-host'
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    },
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    eventTypeId = "es#.problem.net.firewall.config.failed",
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    arguments = (vmodl.KeyAnyValue) [
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->       (vmodl.KeyAnyValue) {
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->          key = "1",
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->          value = "addIP4"
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->       },
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->       (vmodl.KeyAnyValue) {
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->          key = "2",
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->          value = "vSphereClient"
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->       }
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    ],
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    objectId = "ha-host",
YYYY-MM-DDTHH:MM:SS In(166) Hostd: -->    objectType = "vim.HostSystem",
YYYY-MM-DDTHH:MM:SS In(166) Hostd: --> }
YYYY-MM-DDTHH:MM:SS In(166) Hostd: [Originator@6876 sub=Vimsvc.ha-eventmgr] Event 989773 : Firewall configuration operation 'addIP4' failed. The changes were not applied to rule set vSphereClient.

Environment

ESXi 8.0

Cause

The issue is caused by a state desynchronization between the kernel-level state (vsish) and the persistent database (ConfigStore) within the FirewallRulesetImpl::SetAllowedIPList function.

Resolution

This issue is fixed in ESXi 9.0.

Workaround:
Reboot host.

Powered by Wolken Software