Veeam uses not default ports

[Borsh]

Hello!
We have two site: A and B. In each of them there are two hyper-v 2008 r2 clusters – cluster LAN and cluster DMZ.
Veeam server is on the cluster LAN in site A. Version of Veeam B&R is 6.5.0.144 (with patch 3).
There is Cisco ASA between clusters and sites. But all necessary ports are open for the Veeam.
Sometimes there is a replication error of the two machines:

Code: Select all

Unable to subscribe to guest processing components: RPC function call failed. Function name: [IsSnapshotInProgress]. Target machine: [172.17.65.32]. RPC error:The RPC server is unavailable. Code: 1722. Unable to create snapshot (Microsoft Software Shadow Copy provider 1.0) (mode: Veeam application-aware processing). Details: Failed to prepare guests for volume snapshot. Unable to allocate processing resources. Error: Unable to allocate resources for taskId: '04f68c28-abcc-4ace-8885-909564413ab9'

Look at the pictures (ASA):




Where: 10.1.32.23 – VEEAM server, 172.17.65.32, 172.17.65.31 – replicated virtual machines (Win2008 r2).
So Veeam uses strange ports that are not in the documentation - 23834, 1071, 20688, 1056.

Does anybody met with same problem?

Case #00247416

Thanks
Igor

[foggy]

Igor, if you look at the Used Ports section in the user guide (p.67), you will notice that dynamic RPC ports are also required for application-aware image processing of the VM guest OS.

[Borsh]

Alexander, i have looked at the Ports Used Section of cource. But If you look again, you can see, that dynamic RPC port range:
- 1025 to 5000 (for Windows 2003)
- 49152-65535 (for Windows 2008)
http://www.veeam.com/vmware-backup/help ... ports.html

In my case, ports are 23834, 1071, 20688, 1056 - ports that do not fall within the range 49152-65535 (replicated virtual machines with Windows 2008 R2).

[foggy]

Do you probably have Exchange Server installed in the affected VMs?

[Borsh]

in one – MSSQL + Oracle Hyperion, in another - Essbase.

[foggy]

Igor, could you please check what default dynamic RPC ports are configured on these VMs?

[Borsh]

There are not key Internet in HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc and any another keys in registry.
It should be added?

[foggy]

Well, you could create it and probably the ports from the range you specify will then be used. However, I'm not sure why the default range (49152-65535) is not used if there's no range specified at all.

Anyway, these ports are defined by the guest RPC service, so Veeam components are simply instructed to use them.

[elwood]

Sorry to dig up an old post.
I'd like a bit more clarity around this.
Default RPC as we know is 49152-65535, and in the case of Veeam Agent for Windows for example it opens up a client side connection from the default RPC range, to the 2500-5000 range on the B&R side for each connection - correct?

We also know that Exchange seems to alter the default range to 6005-59530 - so that's a bit of a pain in itself. (Should this bit of info be added to your used ports documentation? )
Strangely, we've seen non Exchange servers (standard, clean built DC) opening up ephemeral ports outside of the default range.
C:> NETSH INTERFACE IPV4 SHOW DYNAMICPORTRANGE TCP shows the normal 49152-65535 configured, yet something is causing it to open connections outside of the range. It makes firewall configuration exceptionally difficult without opening up blanket holes throughout.

I'm curious as to how common this is, how others are addressing this, and most importantly I'm wondering if it's feasible for the Agent at some time in the future to encapsulate all of this traffic into one transport port in a similar way to Cloud Connect?

[Dima P.]

Hi Eliot,

The specified range is correct. Need some time to check the overlap with Exchange - stay tuned.

EDIT: This RPC range it a default one for any Windows application. In case of overlap (when port is taken by one application and another is trying to use the same one) – application tries to use any other idle port from this range