📖 ~2 min read
Table of contents
Symptom & Impact
Operators on SLES 15 report that firewalld blocks required service ports after zone change; services degrade, users see failed requests, and systemctl reports affected units in failed or activating state, blocking normal operations.
Environment & Reproduction
Reproduces on SUSE Linux Enterprise Server 15 hosts (SP4/SP5/SP6) after a recent zypper patch, SUSEConnect change, or wicked network reconfiguration; trigger by reapplying the same workflow on a clean VM and watching systemctl status and journalctl -xe.
Root Cause Analysis
Root cause for firewalld blocks required service ports after zone change is typically a mismatch between repository metadata (zypper lr -u), kernel/userspace versions after patch, AppArmor profile changes, or firewalld zone bindings that no longer match the active wicked interface configuration.
Quick Triage
Run `systemctl –failed`, `journalctl -p err -b`, `zypper ps -s` to list services using deleted files, and `SUSEConnect –status-text` to confirm subscription. Capture `firewall-cmd –list-all` and `aa-status` output before changing anything.
Step-by-Step Diagnosis
Step 1: `journalctl -u -b –no-pager` to extract the actual error for firewalld blocks required service ports after zone change. Step 2: `zypper verify` and `zypper search –installed-only` to validate package state. Step 3: `wicked ifstatus all` for network, `firewall-cmd –get-active-zones` for firewalld, and `journalctl -k` for kernel messages. Step 4: correlate timestamps across logs.
Solution – Primary Fix
Primary fix: refresh metadata with `zypper ref`, apply the corrective patch via `zypper patch` or `zypper install -f `, reload AppArmor with `systemctl reload apparmor`, reload firewalld with `firewall-cmd –reload`, then restart the affected unit using `systemctl restart ` and re-check `journalctl -u `.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
If the primary fix is blocked, alternatives include pinning the package with `zypper addlock`, temporarily setting the AppArmor profile to complain mode with `aa-complain`, switching firewalld to a permissive zone for the interface, or falling back to a previous Btrfs snapshot via `snapper rollback` from a maintenance window.
Verification & Acceptance Criteria
Acceptance: `systemctl is-active ` returns active, `journalctl -u -b` shows no error after restart, `firewall-cmd –list-all` lists the required service, `aa-status` shows the profile in enforce mode without denials, and monitoring stays green for at least one full check interval.
Rollback Plan
Rollback: use `snapper list` and `snapper rollback ` to revert root filesystem changes, restore `/etc` config via `etckeeper` if enabled, downgrade packages with `zypper install –oldpackage`, and revert firewalld with `firewall-cmd –reload` after restoring `/etc/firewalld/`.
Prevention & Hardening
Harden by keeping SUSEConnect registration current, scheduling `zypper patch` in maintenance windows, taking pre/post snapper snapshots, version-controlling AppArmor profiles and firewalld zones, monitoring `systemctl –failed`, and enabling persistent journald storage in `/etc/systemd/journald.conf`.
Related Errors & Cross-Refs
Related errors: ‘Failed to start’ in systemctl, ‘apparmor=DENIED’ in journalctl, ‘Repository … is invalid’ from zypper, ‘No active zone’ from firewall-cmd, ‘wicked: interface … failed’, and SUSEConnect ‘422 Unprocessable Entity’ on registration.
Related tutorial: View the step-by-step tutorial for sles-15.
View all sles-15 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
References: SUSE Linux Enterprise Server 15 Administration Guide, SUSE TID and KB articles for the affected component, `man zypper`, `man systemctl`, `man journalctl`, `man firewall-cmd`, `man apparmor.d`, `man wicked`, and the SUSEConnect documentation on scc.suse.com.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
