Host profile compliance fails with dynamic ruleset error due to SNMP
Article ID: 342811
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- When booting from autodeploy server, the ESXi host is non-compliant to host profile.
- You see the error:
Ruleset dynamicruleset not found.
- The compliance error appears even after checking the firewall ruleset list. The ESXi host shows dynamicruleset as true.
- When checking the compliance on a Host Profile, you see the error:
dynamicruleset not found
- Running the esxcli network firewall ruleset list command on the ESXi host does not list dynamicruleset.
Environment
VMware vSphere ESXi 6.5
VMware vSphere ESXi 6.0
VMware vSphere ESXi 5.5
VMware vSphere ESXi 5.0
Cause
This issue occurs if the hostd is not aware of the dynamic rule when auto-deploy attempts to check host compliance after applying the host profile. As a result, the compliance check fails if the host profile contains the dynamic rule set.
Resolution
This is a known issue affecting vCenter Server 5.5 through 6.5.
Currently, there is no resolution.
To workaround this issue:
- Disable and enable SNMP on the host to restore the dynamicruleset firewall ruleset.
- Connect to the affected host using SSH and root credentials. For more information, see Using ESXi Shell in ESXi 5.x and 6.0 (2004746).
- Run this command to disable SNMP:
esxcli system snmp set -e 0 - Run this command to enable SNMP:
esxcli system snmp set -e 1 - Apply the Host Profile and check compliance.
- Connect to the affected host using SSH and root credentials. For more information, see Using ESXi Shell in ESXi 5.x and 6.0 (2004746).
- Manually check and apply the host profile again to refresh the firewall. This will clear the compliance error.
- Reset the firewall on ESXi host using these commands:
- esxcli network firewall set --enabled false
- esxcli network firewall set --enabled true
Feedback
Yes
No
Powered by
