VMware Cloud Community
JPM300
Commander
Commander

Strange SSH behavior after 5.5 upgrade

Hello all,

Recently we upgraded our enviroment from 5.0 to 5.5 and everything went successfully.  However today I was trying to SSH into the host and noticed that enabling SSH wasn't working.  It would enable the service but I wasn't able to putty into the host.  While looking at the configuration screen I noticed that when I enabled SSH it wasn't adding the SSH server firewall rule in(essentially opening incoming port 22).  I went and enabled the SSH firewall rule through the vCenter gui and I was able to putty in, however in the past whenever I enabled the SSH service on a host it automatically opened the firewall rule.  To make sure I wasn't remebering things wrong I went back to my 5.0 lab and enabled SSH on a host and it did indeed add the firewall rules for me when I enabled the SSH service on a host.  Has this changed in 5.5u1a? Do you now manually have to enabled the service and enabled the firewall rule?

Also I noticed when I tried to disable the firewall rule via the vSphere client gui was giving me the following error:

Call "HostFirewallSystem.DisableRuleset" for object "FirewallSystem-21" on vCenter Server "vCenterServerName" failed.

I found a KB arcticle referencing this problem for 5.1 (VMware KB: Disabling secure shell services on an ESXi host using the vSphere Client fails with the e...) but it doesn't mention 5.5, also the KB article states that even though SSH is disabled people can still SSH in.  This is not the case with me.  If we disable the SSH service we are uanble to SSH into the ESXi host, however it would appear we are uanble to remove the firewall rule for the SSH Server.  With that in mind is it okay to leave the firewall rule enabled on the host and just disable the SSH as per the norm on the ESXi hosts and just leave it at that?

Any help would be greatly appricated.

Thanks again,

Reply
0 Kudos
7 Replies
JPM300
Commander
Commander

anyone else notice this or experience this?

Reply
0 Kudos
JPM300
Commander
Commander

anything?

anyone?

Reply
0 Kudos
JPM300
Commander
Commander

??

Reply
0 Kudos
brianmac64
Contributor
Contributor

Bueller?   Sorry, I had to; dont be mad. Smiley Happy  As far as this issue goes, just building a 5.5 to replace our current 5.1 environment, and will report back what I find.

Cheers

Reply
0 Kudos
JPM300
Commander
Commander

lol sounds good.

Let me know if you find the same thing.  I'm pretty sure I can still turn off the firewall rule from the CLI but this is kind of annoying to do EVERY time.

Reply
0 Kudos
Scissor
Virtuoso
Virtuoso

I ran into this same behavior after upgrading a host from 5.0 -> 6.0.  So you are not alone.

Reply
0 Kudos
beefy147
Enthusiast
Enthusiast

also experienced upgrading from 5.0 to 6.0

we normally have the SSH server (firewall) running on all hosts but disabled in the DMZ as part of hardening

turned on SSH firewall and service to troubleshoot something post 6.0 upgrade from 5.0 today and cant turn the firewall rule off now!

nice Smiley Happy

Reply
0 Kudos