Recovery Procedure When Management Access is Disabled Due to ESXi Firewall Configuration Changes
search cancel

Recovery Procedure When Management Access is Disabled Due to ESXi Firewall Configuration Changes

book

Article ID: 432513

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This knowledge base explains the recovery procedure when you accidentally change the ESXi firewall configuration and can no longer access the ESXi host from the Host Client, SSH, etc.

Environment

VMware ESXi

Resolution

If access via the network is blocked due to the ESXi firewall configuration, directly operate the ESXi Shell from the physical console or remote console to lift the restriction.

  1. Log in to the ESXi Shell

    1. From the console screen of the ESXi host, press the F2 key, enter the root user password, and log in to the System Customization menu.

    2. Select Enable ESXi Shell under Troubleshooting Options to enable the ESXi Shell.

      Note: When enabled, the menu display updates to Disable ESXi Shell.

    3. After enabling the ESXi Shell, press the ESC key multiple times to log out of the System Customization menu and return to the initial screen.

    4. After that, press the Alt + F1 keys to switch the console screen, and enter the root user and password again at the displayed login: prompt to log in to the ESXi Shell.

  2. Checking restricted rulesets

    Display the list of IP addresses permitted by the current firewall, and check if the service you want to access (such as vSphereClient or sshServer) is restricted to specific IP addresses instead of the default All.

    esxcli network firewall ruleset allowedip list | more

    Note: If the Allowed IP Addresses column in the output result shows specific IP addresses, access is permitted only from those IPs.

  3. Lifting restrictions on a specific ruleset

    For the specific ruleset name (e.g., vSphereClient or sshServer) you want to restore access to, change the flag to allow access from all IP addresses.

    esxcli network firewall ruleset set --ruleset-id=<Ruleset Name> --allowed-all true

    Example: When lifting the restriction for vSphereClient

    esxcli network firewall ruleset set --ruleset-id=vSphereClient --allowed-all true

    After setting, run the following command again and confirm that the state of the corresponding rule has been changed.

    esxcli network firewall ruleset allowedip list | more

  4. Access verification

    Confirm that you can normally access the target ESXi host from a browser (https://<ESXi_IP>/ui) or an SSH client on the management terminal.

Additional Information

ESXi ファイアウォールの設定変更により管理アクセスが不可となった場合の復旧手順 (432515)

Powered by Wolken Software