ESXi host shows multiple active connections to itself using loopback address 127.0.0.1
search cancel

ESXi host shows multiple active connections to itself using loopback address 127.0.0.1

book

Article ID: 426868

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • You observe many TCP packets being sent by 127.0.0.1 to itself.
  • Some security scans may identify this behavior as a possible Land Attack.
  • When running the following command: "esxcli network ip connection list | grep 127.0.0.1", you see multiple connections from 127.0.0.1 (TCP) to multiple ports and services.
    E.g:

    tcp         0       0  127.0.0.1:8307                    127.0.0.1:37733                 ESTABLISHED    264447  newreno  hostd-IO
tcp         0       0  127.0.0.1:37733                   127.0.0.1:8307                  ESTABLISHED    263463  newreno  rhttpproxy-work
tcp         0       0  127.0.0.1:80                      127.0.0.1:29303                 ESTABLISHED    263466  newreno  rhttpproxy-IO

Environment

VMware vSphere ESXi

Cause

This is expected behavior.
ESXi uses the localhost (127.0.0.1) for internal communication between management agents.
Services like hostd, vpxa, and rhttpproxy use these connections to exchange data and manage the host's resources.

Resolution

This is a condition that may occur in a VMware vSphere ESXi environment.

Powered by Wolken Software