Ports between Virtual Center and ESX hosts, Hosts ...

Joey_M · ‎03-27-2008

I have a firewall between my ESX hosts and my Virtual Center Manager. I opened the ports below from the documentation file for ESX3i. I can add the new ESX hosts and configure them for a few minutes but then they marked as not responding. If I remove and re-add them I get the same result. Does anyone know what monitoring port I am missing?

80	HTTP access. The default non-secure TCP Web port typically used in conjunction with port 443 as a front end for access to ESX Server 3i networks from the Web. Port 80 redirects traffic to an HTTPS landing page (port 443) from which you launch your virtual machine console. WS-Management uses port 80.	Incoming TCP
427	The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.	Incoming and outgoing UDP
443	HTTPS access. The default SSL Web port. Use Port 443 for the following:	•	VI Client access to the VirtualCenter Server.
•	Direct VI Client access to ESX Server 3i hosts.
•	WS-Management.
•	VMware Update Manager.
•	VMware Converter.
Incoming TCP

902

Authentication traffic and remote console traffic. Use Port 902 for the following:

•	VirtualCenter Server access to ESX Server 3i hosts. VirtualCenter Server sends UDP messages from ESX Server 3i hosts on port 902.
•	ESX Server 3i host access to other ESX Server 3i hosts for migration and provisioning. ESX Server 3i sends UDP messages to VirtualCenter Server on ports 902.
•	VI Client access to virtual machine consoles.
Incoming and outgoing TCP, outgoing UDP

2049

Transactions from your NFS storage devices. This port is used on the VMkernel interface.|

Incoming and outgoing TCP|

2050-2250

Traffic between ESX Server 3i hosts for VMware High Availability (HA) and EMC Autostart Manager. These ports are managed by the VMKernel interface.|

Outgoing TCP, incoming and outgoing UDP|

3260

Transactions from your iSCSI storage devices. This port is used on the VMkernel interface.|

Outgoing TCP|

5900-5906

RFB protocol which is used by management tools such as VNC.|

Incoming and outgoing TCP|

5988

CIM XML transactions over HTTPS.|

Incoming and outgoing TCP|

5989

CIM XML transactions over HTTP.|

Incoming and outgoing TCP|

8000

Incoming requests from VMotion.|

Incoming and outgoing TCP|

8042-8045

Traffic between ESX Server 3i hosts for HA and EMC Autostart Manager.|

Outgoing TCP, incoming and outgoing UDP|

27000

License transactions from ESX Server 3i to the license server (lmgrd.exe)|

Outgoing TCP|

27010

License transactions from ESX Server 3i to the license server (vmwarelm.exe).|

Outgoing TCP|

IB_IT · ‎03-27-2008

That looks pretty good to me...so these are all the ports you have opened on your ESX firewall? The behavior you are describing certainly sounds like there is a port being blocked somewhere. Have you confirmed with your Networking team that 902 tcp and udp are open on their firewall?

IB_IT · ‎03-27-2008

For your viewing pleasure:

http://communities.vmware.com/thread/117347

http://communities.vmware.com/message/512719

mike_laspina · ‎03-27-2008

Hello,

You have too many ports open.

VIC to VC requires 443 and 902,

Admin PC to ESX host requires 22 and 80 and 443

ESX host to VC requires 902, 27000-27010

ESX host to host will vary but the minimum 2050-2250 for HA

and you really should not have any iSCSI or NFS going over the firewall if possible, those nets need to be isolated.

Have a look at the /var/log/vmware/vpx/vpxa.log file to see if there are some errors

Use netstat -n to see what's connected at the host

It looks like you are have a DNS issue, add static entries to the /etc/hosts file for all involved systems or setup secured DNS services.

http://blog.laspina.ca/ vExpert 2009

azn2kew · ‎03-28-2008

I would first double check the ports Mike has mentioned above especially 902, 443, 27000-27010 and 2050 and test to telnet see if you can get through any of this port at all. To validate if you have firewall issue, have your security team disable all firewalls between ESX hosts and VC and your PC wide open for temporary troubleshooting. If it works than check your firewall rules. If problems exist, than check your networking piece most likely its DNS problems you can try to add the host by IP or put entries of all ESX hosts/VC servers in the /etc/hosts file something like this.

172.190.10.x esx01.domain.com esx01

Can you check out the logs and events to see any particular messages and google it lead you to the right direction.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems LLC.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA

mchoma · ‎01-01-2009

Hi,

i don't know your network, but you should have open 902 UDP from ESX host's to VC (vpxheartbeat) without this port HA does not works , and you should open traffic for ICMP echo from ESX hosts to IP gateway in the same network island

MC

ViennaAustria · ‎05-05-2010

@mike.laspina

> ESX host to VC requires 902, 27000-27010

I have an ESXi server behind NAT. I opened/forwarded ports 443, 902, 903 and 27000-27010 to the machine. I can access it with VIC, but when I try to add it to VC, the progress bar for "Add Standalone Host" stops at 10% and an error message pops up:

Network copy failed for file.
C:\Programme\VMware\Infrastructure\VirtualCenter Server\upgrade\vpx-upgrade-eesx-1-linux-119598

Do you have any idea, what went wrong?

Thank you!

Thomas

All

Ports between Virtual Center and ESX hosts, Hosts being listed as disconnected after a few minutes.