vCenter Server access gets blocked after creating a Deny All rule in NSX Distributed Firewall (DFW) (2079620)

Immediately after the cluster is prepared by navigating to NSX home > Installation > Host Preparation, the Distributed Firewall (DFW) rule is automatically enforced on all virtual machines in the cluster. In this case, the Management cluster has been prepared because of which the vCenter Server gets its own DFW instance.

Note: By default, only NSX components (NSX manager and NSX controllers) are automatically added to the DFW exclusion list and not the vCenter Server virtual machine.

To resolve the issue, use one of these options:

  • Roll back the DFW to its default firewall rule set.

    You can use the NSX Manager REST API to revert to the default firewall rule set. As it is an NSX appliance, the NSX Manager is automatically excluded from DFW and is still accessible if the default rule is changed. You can access a REST client, such as:

    • https://addons.mozilla.org/en-US/firefox/addon/restclient or cURL
    • Submit a DELETE request to https://$nsxmgr/api/4.0/firewall/globalroot-0/config
  • Remove the firewall rules from the vCenter Server virtual machine.

To remove the firewall rules from the vCenter Server virtual machine:

  1. Connect to the ESXi host in which the vCenter Server virtual machine is running using SSH.
  2. Run one of these commands to determine the filter name that is protecting the vCenter Server virtual machine:

    summarize-dvfilter
    vsipioctl getfilters
    The filter name starts with nic-, such as nic-12345-eth0-vmware-sfw.2 .
  3. Run this command to get the rule set of the firewall:

    vsipioctl getrules -f filter-name

    There must be two rule sets, such as:

    • domain-c7
    • domain-c7_L2Remove the first rule set, such as domain-c7.
  4. Run this command to clear the rule set:

    vsipioctl vsipfwcli -f filter-name -c “create ruleset ruleset-name

  5. Run this command to get the rule set of the firewall:

    vsipioctl getrules -f filter-name

    Note: The first rule set must be empty without any rules.

To prevent this issue from recurring, add vCenter Server in the exclusion list.

  1. Log in to the vCenter Server using the vSphere Web Client.
  2. Navigate to Home > Networking & Security.
  3. Select the NSX Manager.
  4. In the Manage tab, click Exclusion List.
  5. Select the + icon to add the vCenter Server virtual machine.

About vPierre

Virtualisierung, Cloud Computing, Orchestrierung und Automation
This entry was posted in Aktualisierung, Allgemein, Insekt, vSphere, Wolke. Bookmark the permalink.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind markiert *