ESXi 7.0.3 - Blocking Port Traffic Even With Firew...

Whibble · ‎06-08-2023

I have two ESXi hosts on their own VLAN. I have a Windows Active Directory Domain Controller on another VLAN. I'm trying to join the ESXi hosts to the domain but got the 'Errors in Active Directory operations' error and figured out that the TCP port traffic on ports 88, 123, 135, 137, 139, 389, 445, 464, and 3268 are not getting through. Ports 80 and 443 work just fine.

Here's what I have tried and discovered:

I access the host via its web interface. I go to networking, then firewall rules. The 'Active Directory All' listing is set to allow all IP addresses and is active. Yet, when I log on to my domain controller and use 'Test-NetConnection [ESXi host IP] -port 135', it fails. I log in to the shell for the ESXi host and use the command 'nc -v -n [DC IP] 135' and it also fails. Doing the same nc command, but with port 80 instead, succeeds. I have tried completely turning off the firewall for the ESXi host, using the commands 'esxcli network firewall set --enabled=false' and 'esxcli network firewall set --default-action=true' but this did not solve the issue. I still cannot get port 135 (or other ports listed above) traffic to or from this ESXi host. I have also tried sending and receiving the TCP port traffic to/from an admin workstation on the same VLAN as the ESXi host, and it still didn't work.

My domain controller has its firewall completely open on all those above listed ports. It can successfully get TCP traffic over those ports to every other machine on the network. I have a Windows Server 2016 that is on the same VLAN as my ESXi hosts, and it can communicate with my domain controller over port 135. DNS resolution between the ESXi host and my domain controller works just fine.

What could my issue be? I don't think it's related to the network, as every other machine on every VLAN can communicate just fine. I don't think it's the ESXi firewall, since I completely disabled it and the issue persisted. Is there somewhere else within the ESXi configuration that could be stopping me from being able to communicate to my domain controller over ports 135, 137, 139, 389, etc?

Sachchidanand · ‎06-08-2023

I think there is anothor ticket for the same issue. please don't open duplicate ticket for the same issue.

https://communities.vmware.com/t5/VMware-vCenter-Discussions/ESXi-Host-Firewall-Ports/m-p/2972400#M4...

Whibble · ‎06-12-2023

That post had incorrect and outdated information and was also posted in the wrong subforum. I tried to delete it and move it here instead, but I do not have the option to delete my original post. Regardless, I've since copied and pasted the info from this new and up-to-date post into the old one in case anyone is reading my post over there. If a forum moderator wants to delete the other post, feel free.

Lalegre · ‎06-12-2023

@Whibble,

What about a firewall in the middle between the servers blocking the traffic, do you have one?

Whibble · ‎06-12-2023

We do not - the switch that everything is connected to is set to permit-all. I'm not the networking guy, but the DC (which is on a VLAN, we'll call VLAN 1) cannot send port 135 traffic to my ESXi host, which is on what we'll call VLAN 2.

However, I have two other systems on VLAN 2 that can receive port 135 traffic just fine.

Lalegre · ‎06-12-2023

@Whibble,

Actually, the port connection should be the other way around, from the ESXi to the DC. What happens for example if you run the following from the ESXi:

nc -z <DC-ip> 389

Zickebua · ‎10-31-2023

Hello

I have the same issue. Did you found the Problem?

All

ESXi 7.0.3 - Blocking Port Traffic Even With Firewall Disabled?