20,218 questions
ESXi went to "Not Responding" state when adding IP address in ESXI firewall ports via PowerCLI
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 54%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Jimmy
1
Reputation point
Hi Expert,
ESXi went to "Not Responding" state when we are adding IP address in the firewall ports via PowersCLI
Explanation of what the script does:
The script is supposed to execute on the server which PowersCLI has been installed . The script will get the vCenter inputs and fetch all the ESXi available in the vCenter and executed in all the ESXi’s. The script will modify the existing firewall with the ports mentioned below and restrict access to those ports from outside the networks defined. While executing the script it will ask the IP as user input. Script will set the IP range from which the ports can be accessed. Here are the ESXi firewall ports that will have the access restriction after executing the script. Port : 443 , 22.
Issue :
Whenever executing the script its working as mentioned as above. But the only problem is After adding the IP address to the specific ports. All the ESXI's went to "Disconnected state". Its should not be expected state. Its working as expected when we try manually. Since all the ESXi moved to disconnected state, It causes huge impact. Again we have to login the ILO console of the ESXi and we have to reload the firewall. Then only it will started working.
I am attaching the script below. Could anyone let me know what's wrong with the script. Something wrong in the VMware comments we think so.
I am looking forward to hear from you.
Please help me to fix this issue.
##Instead of ports adding the service name of the ports.
$ports=@('vSphereClient','sshServer')
$fixed_SubNet="63.145.62.0/24"
while($True)
{
$vCenterIp=read-host " Enter vCenter IP "
$status = [bool]($vCenterIp -as [ipaddress])
if ($status)
{
while($True)
{
write-host " Connecting with vCenter $vCenterIp " -ForegroundColor Yellow
write-host " Please Enter the User name & the password of the VC $vCenterIP " -BackgroundColor Green -ForegroundColor Black
Connect-VIServer $vCenterIp -ErrorVariable er -ErrorAction SilentlyContinue
if( $er -like "*Cannot complete login due to an incorrect user name or password*")
{
Write-Host " Invalid Credential has been Given. $er" -BackgroundColor Red
}
elseif($er)
{
write-host " Given VCenter IP not reachable..$er" -BackgroundColor Red
break
}
else
{
write-host " Connected with vCenter $vCenterIp " -ForegroundColor green
break
}
}
if( ($er -like "*Could not determine user name and/or password for server*") -or ($er.count -eq 0))
{
break
}
}
else
{
Write-Host "`n$vCenterIp is not a Valid IP Address.. Enter Valid IP Address" -fore Red
}
}
# Sub net or IP
if($er.count -eq 0)
{
function subnet()
{
while($True)
{
$startip=read-host "Enter IP subnet Range (Example -192.18.12.0/24) "
$status = [bool]($startip.split('/')[0] -as [ipaddress])
if ($status)
{
$sub_net+=$startip
$input = Read-Host "Do you want to add another Subnet ? (y/n)"
if ($input -eq 'n')
{
break
}
if($input -eq 'y')
{
$sub_net+=" ,"
}
}
else
{
Write-Host "`n$startip is not a Valid IP Address.. Enter Valid IP Address" -fore Red
}
}
return $sub_net
}
$sub_net2=subnet
$sub_nets=$sub_net2.split(",")
$sub_nets+=$fixed_SubNet
# Host Firewall configuration
Get-VMHost -PipelineVariable esx|
ForEach-Object -Process {
$esxcli = Get-Esxcli -VMHost $esx -V2
# get ports name in execulable format for rule set
#$ESXfw = (get-esxcli –vmhost $esx).network.firewall
#$esxfw.ruleset.list()
foreach($sub_net in $sub_nets)
{
foreach($port in $ports)
{
write-host "Executing $sub_net for $port on host : " $esx.name -ForegroundColor Yellow
$rule1=@{
allowedall = $false
rulesetid = $port
}
$rule = @{
enabled = $true
rulesetid = $port
}
try
{
$esxcli.network.firewall.ruleset.Set.Invoke($rule1)
}
catch
{
$len = $error.count
}
try
{
$error.Clear()
$ip = @{
rulesetid = $port
ipaddress = $sub_net
}
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)
$esxcli.network.firewall.ruleset.Set.Invoke($rule)
write-host "Added $sub_net for $port on host " $esx.name -ForegroundColor Green
}
catch
{
$len = $error.count
if((($error[$len-1]) -like "*Ip address already *") -or (($error[$len-1]) -like "*Already use allowed ip*") -or (($error[$len-1]) -like "*Already exists*"))
{
Write-host "$sub_net IP range is already exist. Skipping." -ForegroundColor green
}
else
{
write-host 'Error - $error[$len-1] : ' $error[$len-1] -ForegroundColor red
}
}
}
}
}
}
##Instead of ports adding the service name of the ports.
$ports=@('vSphereClient','sshServer')
$fixed_SubNet="63.145.62.0/24"
while($True)
{
$vCenterIp=read-host " Enter vCenter IP "
$status = [bool]($vCenterIp -as [ipaddress])
if ($status)
{
while($True)
{
write-host " Connecting with vCenter $vCenterIp " -ForegroundColor Yellow
write-host " Please Enter the User name & the password of the VC $vCenterIP " -BackgroundColor Green -ForegroundColor Black
Connect-VIServer $vCenterIp -ErrorVariable er -ErrorAction SilentlyContinue
if( $er -like "*Cannot complete login due to an incorrect user name or password*")
{
Write-Host " Invalid Credential has been Given. $er" -BackgroundColor Red
}
elseif($er)
{
write-host " Given VCenter IP not reachable..$er" -BackgroundColor Red
break
}
else
{
write-host " Connected with vCenter $vCenterIp " -ForegroundColor green
break
}
}
if( ($er -like "*Could not determine user name and/or password for server*") -or ($er.count -eq 0))
{
break
}
}
else
{
Write-Host "`n$vCenterIp is not a Valid IP Address.. Enter Valid IP Address" -fore Red
}
}
# Sub net or IP
if($er.count -eq 0)
{
function subnet()
{
while($True)
{
$startip=read-host "Enter IP subnet Range (Example -192.18.12.0/24) "
$status = [bool]($startip.split('/')[0] -as [ipaddress])
if ($status)
{
$sub_net+=$startip
$input = Read-Host "Do you want to add another Subnet ? (y/n)"
if ($input -eq 'n')
{
break
}
if($input -eq 'y')
{
$sub_net+=" ,"
}
}
else
{
Write-Host "`n$startip is not a Valid IP Address.. Enter Valid IP Address" -fore Red
}
}
return $sub_net
}
$sub_net2=subnet
$sub_nets=$sub_net2.split(",")
$sub_nets+=$fixed_SubNet
# Host Firewall configuration
Get-VMHost -PipelineVariable esx|
ForEach-Object -Process {
$esxcli = Get-Esxcli -VMHost $esx -V2
# get ports name in execulable format for rule set
#$ESXfw = (get-esxcli –vmhost $esx).network.firewall
#$esxfw.ruleset.list()
foreach($sub_net in $sub_nets)
{
foreach($port in $ports)
{
write-host "Executing $sub_net for $port on host : " $esx.name -ForegroundColor Yellow
$rule1=@{
allowedall = $false
rulesetid = $port
}
$rule = @{
enabled = $true
rulesetid = $port
}
try
{
$esxcli.network.firewall.ruleset.Set.Invoke($rule1)
}
catch
{
$len = $error.count
}
try
{
$error.Clear()
$ip = @{
rulesetid = $port
ipaddress = $sub_net
}
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ip)
$esxcli.network.firewall.ruleset.Set.Invoke($rule)
write-host "Added $sub_net for $port on host " $esx.name -ForegroundColor Green
}
catch
{
$len = $error.count
if((($error[$len-1]) -like "*Ip address already *") -or (($error[$len-1]) -like "*Already use allowed ip*") -or (($error[$len-1]) -like "*Already exists*"))
{
Write-host "$sub_net IP range is already exist. Skipping." -ForegroundColor green
}
else
{
write-host 'Error - $error[$len-1] : ' $error[$len-1] -ForegroundColor red
}
}
}
}
}
}
Windows for business | Windows Server | User experience | Other
Sign in to answer