Ah, my bad Asad. Thanks for the reminder. If it's Cloudera Manager that is complaining of bad health on those ZK servers, than it seems that some port that the Cloudera Manager "Service Monitor" process needs to access is blocked. This doc lists out the additional ports that CM needs to have access to, maybe it's in there somewhere?
If that doc doesn't help, we'd need to go into the service monitor logs in CM and see the exact message where it sets the ZK server's health to bad. In that message will probably be some pertinent information about what port is needed.
... View more