VCH Deployment Fails with Firewall Validation Error
When you use vic-machine create
to deploy a virtual container host (VCH), deployment fails because firewall port 2377 is not open on the target ESXi host or hosts.
Problem
Deployment fails with a firewall error during the validation phase:
Firewall must permit dst 2377/tcp outbound to the VCH management interface
Cause
ESXi hosts communicate with the VCHs through port 2377 via Serial Over LAN. For deployment of a VCH to succeed, port 2377 must be open for outgoing connections on all ESXi hosts before you run vic-machine create
. Opening port 2377 for outgoing connections on ESXi hosts opens port 2377 for inbound connections on the VCHs.
Solution
Set a firewall ruleset on the ESXi host or hosts. In test environments, you can disable the firewall on the hosts.
Set a Firewall Ruleset Manually
In production environments, if you are deploying to a standalone ESXi host, set a firewall ruleset on that ESXi host. If you are deploying to a cluster, set the firewall ruleset on all of the ESXi hosts in the cluster.
IMPORTANT: Firewall rulesets that you set manually are not persistent. If you reboot the ESXi hosts, any firewall rules that you set are lost. You must recreate firewall rules each time you reboot a host.
- Use SSH to log in to each ESXi host as
root
user. - Follow the instructions in VMware KB 2008226 to add the following rule after the last rule in the file
/etc/vmware/firewall/service.xml
.<service id='id_number'> <id>vicoutgoing</id> <rule id='0000'> <direction>outbound</direction> <protocol>tcp</protocol> <port type='dst'>2377</port> </rule> <enabled>true</enabled> <required>true</required> </service>
In this example, id_number is the number of the preceding ruleset in service.xml
, incremented by 1.
Disable the Firewall
In test environments, you can disable the firewalls on the ESXi hosts instead of opening port 2377.
- Use SSH to log in to each ESXi host as
root
user. Run the following command:
$ esxcli network firewall set --enabled false