Unable to add IP addresses to ESXi firewall incoming rule
search cancel

Unable to add IP addresses to ESXi firewall incoming rule

book

Article ID: 438888

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • When attempting to add IP addresses to the allowed list for ESXi firewall incoming rules (e.g., vpxd on port 443 or authServer on port 902), the operation fails with a below error message indicating a configuration conflict:
  • Unable to save the firewall rule set when specific IPs are included in the list.

Environment

VMware vSphere ESXi

Cause

The ESXi firewall management logic does not allow the addition of an IP address or range that is already explicitly defined within the same rule's "Allowed IP Addresses" list.

Resolution

To resolve this issue, verify the existing IP configuration before attempting to add new entries:

  1. Log in to the VMware Host Client or vCenter Server.

  2. Navigate to the ESXi host > Configure > System > Firewall.

  3. Locate the specific rule (e.g., vpxd or authServer).

  4. Click Edit and review the Allowed IP Addresses section.

  5. Cross-reference the list of IPs you intend to add with the list of IPs already configured.

  6. Remove any duplicate IPs from your new list and proceed with the addition of only unique IP addresses.

  7. Click OK to save the configuration.

Alternatively, via ESXi Command Line:

  1. List the allowed IPs for the rule to identify duplicates: esxcli network firewall ruleset allowedip list -r <ruleset_name>

  2. Only add IPs not present in the output: esxcli network firewall ruleset allowedip add -i <IP_ADDRESS> -r <ruleset_name>

Additional Information

Configuring the ESXi Firewall

Powered by Wolken Software