Web User Interface inaccessible post OpenManage Enterprise 4.6.0 upgrade while leveraging 'Restrict Allowed IP Ranges' setting

Postupgrade to version 4.6.0 the web user interface is not accessible. The site returns with an ERR_CONNECTION_TIMED_OUT when trying to load.

Within OpenManage Enterprise 4.6, the firewalld package gets upgraded from version 0.9.3 to 2.0.1. Firewalld 0.9.3 silently accepted noncanonical classless interdomain routing (CIDR) strings (for example, 100.94.15.0/21), so the ipset could store ranges with host bits set.

However, firewalld 2.0.1 automatically normalizes every CIDR string to its network form (100.94.8.0/21). This immediately conflicts with the preexisting noncanonical entries still present in the ipset rule. The ipset load then fails with 'INVALID_ENTRY overlaps' (100.94.8.0/21 overlaps with 100.94.15.0/21), causing iptables restore operation to cancel.

Before upgrading to version 4.6, review your current IP ranges located under Application Settings - Security - Restrict Allowed IP Ranges.

Ensure that the configured IP ranges are not overlapping. In the above example there are two ranges that would trigger the issue:

• 192.168.2.0/24
• 192.168.2.2/24

To mitigate the issue, leverage one of the following workarounds:

1. Modify the IP ranges before upgrading to version 4.6 by either removing the overlapped range or modifying the ranges so they are canonical.
2. Another option is to disable the settings temporarily until the upgrade is completed. The newer version of firewalld within version 4.6 automatically normalizes the IP ranges.

Already upgraded to version 4.6 and the web UI is inaccessible? Revert to a working snapshot/checkpoint prior to initiating the 4.6 upgrade. Use one of the workarounds from above and retry the upgrade.