Hi,
with a kind of small setup (5 ESXi Hosts, 5 Bare Metal Windows machines, 2 NAS for Repositories and a Tape Server with an attached Tape Library) I was tracking down some severe performance issues when writing a backup from our archive NAS to Tape. The Speed was capping out at 50-60MB/s which is a bit on the slow side for LTO-9
Only when I looked at the host-list within "resmon" I saw that the tape server was receiving all the data from one of our bare metal windows hosts - in this case our active-directory #4 server. Since that server only has a Gigabit NIC it caps out a ~600 Mbit/s in both directions.
I only learned at this point, that there exists something called a gateway when working with backup shares. Due to the nature of tape jobs they usually need a Gateway to produce the synthetic full for the tape job.
I wonder why veeam chooses that ActiveDirectory#4 Server. I checked the Gateway list within the Repository Entry. It was not not set to automatic, but to "manual" with all listed hosts "checked" this also includes ActiveDirectory#4, our main veeam-server as well as the tape server.
While our Backup-machines are not AD-joined but are on the same server-subnet as the NAS and all other Server I wonder why veeam chose that ActiveDirectory#4 with only 1 Gbit/s connection speed over the Tape Server which has plenty of local memory / cpu and 10 Gbit/s nic or at least the default veeam server which also is very beefy in regards of CPU / RAM and NIC?
regards,
Fabian
-
Dark-Sider
- Influencer
- Posts: 15
- Liked: 3 times
- Joined: May 05, 2016 11:08 am
- Contact:
-
DChiavari
- VeeaMVP
- Posts: 1157
- Liked: 319 times
- Joined: Feb 02, 2012 7:03 pm
- Full Name: Danilo Chiavari
- Location: Rome, IT
- Contact:
Re: Gateway Selection
Hello, as far as I know the selection algorithm does not consider the nominal NIC(s) speed - it's mostly based on current CPU/RAM load, available task slots and network "vicinity" to the target (being in the same subnet). Maybe in your case the AD server has the least load of all when the jobs start? A potential suggestion could be removing (unchecking) that server from the list, as you're not using full automatic selection anyway.
Danilo Chiavari
Sr. Presales Manager, Italy @ Veeam
www.danilochiavari.com
Sr. Presales Manager, Italy @ Veeam
www.danilochiavari.com
-
Dark-Sider
- Influencer
- Posts: 15
- Liked: 3 times
- Joined: May 05, 2016 11:08 am
- Contact:
Re: Gateway Selection
Hi,
thanks for the reply. Yeah our ADs pretty much have 0 load (although not being over potent in the first place). I already did remove them from the gateway selection in the repository entries. Which should solve the issue on the next run.
What I find a bit distirubing is, that the gateways seem to use the UNC paths of the repository to read / work with the repository files. IT security best practice rules usually suggest to detach your backup environment so threat actors who might gain AD access have no access to your backup infrastructure. While this shouldn't be considered you only line of defence and offline / offsite backups in addition are very critical, I don't like that veeam passes on credentials to backup repositories to clients which are AD-joined.
thanks for the reply. Yeah our ADs pretty much have 0 load (although not being over potent in the first place). I already did remove them from the gateway selection in the repository entries. Which should solve the issue on the next run.
What I find a bit distirubing is, that the gateways seem to use the UNC paths of the repository to read / work with the repository files. IT security best practice rules usually suggest to detach your backup environment so threat actors who might gain AD access have no access to your backup infrastructure. While this shouldn't be considered you only line of defence and offline / offsite backups in addition are very critical, I don't like that veeam passes on credentials to backup repositories to clients which are AD-joined.
Who is online
Users browsing this forum: Bing [Bot], jveerd1, Semrush [Bot] and 87 guests