VMware ESXi 6.0 Secure Copy

I needed to migrate a VM from one ESXi server to another the other day. I figured the best way to do this would be to SCP the VM from the datastore on ESX1 to the datastore on ESX2, and then just register the copied VM in it’s new home on ESX2’s datastore. This’ll be easy! I SSHed into ESX1 and pointed the VM’s directory towards it’s new location on ESX2:

scp -r /vmfs/volumes/datastore1/ANSIBLE-SERVER/ root@ESX2:/vmfs/volumes/datastore1/ANSIBLE-SERVER/

ssh: connect to host ESX2 port 22: Connection timed out

Really? Connection time out? I know I can SSH into both ESXi servers, so it’s not an issue with the SSH service. What then? I remote into the other server and reverse the command to see where that gets me:

scp -r root@ESX1:/vmfs/volumes/datastore1/ANSIBLE-SERVER/ /vmfs/volumes/datastore1/ANSIBLE-SERVER/

ssh: connect to host ESX1 port 22: Connection timed out

We’ll, at least it’s consistent. What’s left to try? I decide to try this again, this time with the other node being a plain old Debian server.

scp -r /vmfs/volumes/datastore1/ANSIBLE-SERVER/ root@DEBIAN:/media/STORAGE/

ssh: connect to host DEBIAN port 22: Connection timed out

Alright I KNOW I’ve SCPed files into this Debian server before. I try SCPing a file from the Debian server to the ESXi host…

touch testfile.txt
scp testfile.txt root@ESX2:/vmfs/volumes/datastore1

testfile.txt 100% 0 0.0KB/s 00:00

Success! So far now we have observed the following:

  • an ESXi host cannot send a file to another ESXi host
  • an ESXi host cannot send a file to the debian server(that is known to be able to receive files)
  • an ESXi host CAN receive files from the debian server

From which we can conclude:

  • the ESXi hosts can receive files
  • the ESXi hosts cannot send files

What is it then? ESXi’s firewall! It apparently prevents outbound SSH traffic by default, so any attempt to SCP or SSH from it is blocked by its own firewall. VMware even provides a ruleset that defines outbound TCP traffic on port 22 called “sshClient”, so in order to allow outbound SSH, we just have to run the following command:

esxcli network firewall ruleset set --enabled true --ruleset-id=sshClient

This should work on any ESXi version that’s 5.x or 6.x(earlier versions have a different firewall system).

Good Luck!