This error occurs when there is a problem with an IP in one of the services located in ESXi firewall.

The IPs entered into the GUI will all look correct and you have exhausted all possibility.

The root cause is usually that you have entered individual IPs in CIDR format with a /32.   ESXi does not like this.

How to correct the problem:

1)  SSH to the ESXi host and edit /etc/vmware/esx.conf

2) Remove the /32 from all IP entries for the firewall (see below).   Be sure to leave all larger CIDR annotations in place (/24, /27, /28, /16, etc.)

3) Reboot!

 

/firewall/services/webAccess/allowedip[0000]/ipstr = “192.168.10.10/32”  <- Bad Entry – remove the /32
/firewall/services/webAccess/allowedip[0001]/ipstr = “10.10.20.0/24”  <- Good Entry