diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go
index 3dca2a881e8..b58e8fdb4f2 100644
--- a/test/e2e/framework/util.go
+++ b/test/e2e/framework/util.go
@@ -4941,7 +4941,7 @@ func getMaster(c clientset.Interface) Address {
 func GetAllMasterAddresses(c clientset.Interface) []string {
 	master := getMaster(c)
 
-	var ips sets.String
+	ips := sets.NewString()
 	switch TestContext.Provider {
 	case "gce", "gke":
 		if master.externalIP != "" {
diff --git a/test/e2e/network/firewall.go b/test/e2e/network/firewall.go
index a4014ab1218..d46ff96c352 100644
--- a/test/e2e/network/firewall.go
+++ b/test/e2e/network/firewall.go
@@ -18,6 +18,7 @@ package network
 
 import (
 	"fmt"
+	"time"
 
 	"k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -172,19 +173,27 @@ var _ = SIGDescribe("Firewall rule", func() {
 
 		By("Checking well known ports on master and nodes are not exposed externally")
 		nodeAddrs := framework.NodeAddresses(nodes, v1.NodeExternalIP)
-		Expect(len(nodeAddrs)).NotTo(BeZero())
-		masterAddresses := framework.GetAllMasterAddresses(cs)
-		for _, masterAddr := range masterAddresses {
-			flag, _ := framework.TestNotReachableHTTPTimeout(masterAddr, ports.InsecureKubeControllerManagerPort, gce.FirewallTestTcpTimeout)
-			Expect(flag).To(BeTrue())
-			flag, _ = framework.TestNotReachableHTTPTimeout(masterAddr, ports.SchedulerPort, gce.FirewallTestTcpTimeout)
-			Expect(flag).To(BeTrue())
-			flag, _ = framework.TestNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletPort, gce.FirewallTestTcpTimeout)
-			Expect(flag).To(BeTrue())
-			flag, _ = framework.TestNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletReadOnlyPort, gce.FirewallTestTcpTimeout)
-			Expect(flag).To(BeTrue())
-			flag, _ = framework.TestNotReachableHTTPTimeout(nodeAddrs[0], ports.ProxyStatusPort, gce.FirewallTestTcpTimeout)
-			Expect(flag).To(BeTrue())
+		if len(nodeAddrs) == 0 {
+			framework.Failf("did not find any node addresses")
 		}
+
+		masterAddresses := framework.GetAllMasterAddresses(cs)
+		for _, masterAddress := range masterAddresses {
+			assertNotReachableHTTPTimeout(masterAddress, ports.InsecureKubeControllerManagerPort, gce.FirewallTestTcpTimeout)
+			assertNotReachableHTTPTimeout(masterAddress, ports.SchedulerPort, gce.FirewallTestTcpTimeout)
+		}
+		assertNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletPort, gce.FirewallTestTcpTimeout)
+		assertNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletReadOnlyPort, gce.FirewallTestTcpTimeout)
+		assertNotReachableHTTPTimeout(nodeAddrs[0], ports.ProxyStatusPort, gce.FirewallTestTcpTimeout)
 	})
 })
+
+func assertNotReachableHTTPTimeout(ip string, port int, timeout time.Duration) {
+	unreachable, err := framework.TestNotReachableHTTPTimeout(ip, port, timeout)
+	if err != nil {
+		framework.Failf("Unexpected error checking for reachability of %s:%d: %v", ip, port, err)
+	}
+	if !unreachable {
+		framework.Failf("Was unexpectedly able to reach %s:%d", ip, port)
+	}
+}