I have a firewall between my ESX hosts and my Virtual Center Manager. I opened the ports below from the documentation file for ESX3i. I can add the new ESX hosts and configure them for a few minutes but then they marked as not responding. If I remove and re-add them I get the same result. Does anyone know what monitoring port I am missing?
80 | HTTP access. The default non-secure TCP Web port typically used in conjunction with port 443 as a front end for access to ESX Server 3i networks from the Web. Port 80 redirects traffic to an HTTPS landing page (port 443) from which you launch your virtual machine console. WS-Management uses port 80. | Incoming TCP | |
427 | The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers. | Incoming and outgoing UDP | |
443 | HTTPS access. The default SSL Web port. Use Port 443 for the following: | • | VI Client access to the VirtualCenter Server. |
• | Direct VI Client access to ESX Server 3i hosts. | ||
• | WS-Management. | ||
• | VMware Update Manager. | ||
• | VMware Converter. | ||
Incoming TCP |
902 |
Authentication traffic and remote console traffic. Use Port 902 for the following:
• | VirtualCenter Server access to ESX Server 3i hosts. VirtualCenter Server sends UDP messages from ESX Server 3i hosts on port 902. |
• | ESX Server 3i host access to other ESX Server 3i hosts for migration and provisioning. ESX Server 3i sends UDP messages to VirtualCenter Server on ports 902. |
• | VI Client access to virtual machine consoles. |
Incoming and outgoing TCP, outgoing UDP |
2049 |
Transactions from your NFS storage devices. This port is used on the VMkernel interface.|
Incoming and outgoing TCP|
2050-2250 |
Traffic between ESX Server 3i hosts for VMware High Availability (HA) and EMC Autostart Manager. These ports are managed by the VMKernel interface.|
Outgoing TCP, incoming and outgoing UDP|
3260 |
Transactions from your iSCSI storage devices. This port is used on the VMkernel interface.|
Outgoing TCP|
5900-5906 |
RFB protocol which is used by management tools such as VNC.|
Incoming and outgoing TCP|
5988 |
CIM XML transactions over HTTPS.|
Incoming and outgoing TCP|
5989 |
CIM XML transactions over HTTP.|
Incoming and outgoing TCP|
8000 |
Incoming requests from VMotion.|
Incoming and outgoing TCP|
8042-8045 |
Traffic between ESX Server 3i hosts for HA and EMC Autostart Manager.|
Outgoing TCP, incoming and outgoing UDP|
27000 |
License transactions from ESX Server 3i to the license server (lmgrd.exe)|
Outgoing TCP|
27010 |
License transactions from ESX Server 3i to the license server (vmwarelm.exe).|
Outgoing TCP|
That looks pretty good to me...so these are all the ports you have opened on your ESX firewall? The behavior you are describing certainly sounds like there is a port being blocked somewhere. Have you confirmed with your Networking team that 902 tcp and udp are open on their firewall?
For your viewing pleasure:
Hello,
You have too many ports open.
VIC to VC requires 443 and 902,
Admin PC to ESX host requires 22 and 80 and 443
ESX host to VC requires 902, 27000-27010
ESX host to host will vary but the minimum 2050-2250 for HA
and you really should not have any iSCSI or NFS going over the firewall if possible, those nets need to be isolated.
Have a look at the /var/log/vmware/vpx/vpxa.log file to see if there are some errors
Use netstat -n to see what's connected at the host
It looks like you are have a DNS issue, add static entries to the /etc/hosts file for all involved systems or setup secured DNS services.
I would first double check the ports Mike has mentioned above especially 902, 443, 27000-27010 and 2050 and test to telnet see if you can get through any of this port at all. To validate if you have firewall issue, have your security team disable all firewalls between ESX hosts and VC and your PC wide open for temporary troubleshooting. If it works than check your firewall rules. If problems exist, than check your networking piece most likely its DNS problems you can try to add the host by IP or put entries of all ESX hosts/VC servers in the /etc/hosts file something like this.
172.190.10.x esx01.domain.com esx01
Can you check out the logs and events to see any particular messages and google it lead you to the right direction.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
iGeek Systems LLC.
VMware, Citrix, Microsoft Consultant
Hi,
i don't know your network, but you should have open 902 UDP from ESX host's to VC (vpxheartbeat) without this port HA does not works , and you should open traffic for ICMP echo from ESX hosts to IP gateway in the same network island
MC
@mike.laspina
> ESX host to VC requires 902, 27000-27010
I have an ESXi server behind NAT. I opened/forwarded ports 443, 902, 903 and 27000-27010 to the machine. I can access it with VIC, but when I try to add it to VC, the progress bar for "Add Standalone Host" stops at 10% and an error message pops up:
Network copy failed for file.
C:\Programme\VMware\Infrastructure\VirtualCenter Server\upgrade\vpx-upgrade-eesx-1-linux-119598
Do you have any idea, what went wrong?
Thank you!
Thomas