From 0f8586caff9448b1f4971b64eb330196eff64cfb Mon Sep 17 00:00:00 2001
From: Joe Abbey <joe.abbey@gmail.com>
Date: Fri, 5 Oct 2018 15:26:43 -0400
Subject: [PATCH] Update system-requirements.md

---
 ee/ucp/admin/install/system-requirements.md | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/ee/ucp/admin/install/system-requirements.md b/ee/ucp/admin/install/system-requirements.md
index fad8028344..85571758d2 100644
--- a/ee/ucp/admin/install/system-requirements.md
+++ b/ee/ucp/admin/install/system-requirements.md
@@ -94,7 +94,20 @@ Number 4 for IP-in-IP encapsulation.
 
 If you're deploying to AWS or another cloud provider, enable IP-in-IP
 traffic for your cloud provider's security group.
- 
+
+## Enable connection tracking on the loopback interface for SLES
+Calico's Kubernetes controllers can't reach the Kubernetes API server
+unless connection tracking is enabled on the loopback interface.  (SLES
+disables it by default.)
+
+On each node in the cluster:
+
+```
+sudo mkdir -p /etc/sysconfig/SuSEfirewall2.d/defaults
+echo FW_LO_NOTRACK=no | sudo tee /etc/sysconfig/SuSEfirewall2.d/defaults/99-docker.cfg
+sudo SuSEfirewall2 start
+```
+
 ## Timeout settings
 
 Make sure the networks you're using allow the UCP components enough time