I'm revisiting an issue I had before with replicating across a WAN. I can replicate to my target ESX server from within my own network just fine. But when I try from off site locations it fails:
Cannot connect to server [ip-of-veeam-server:2500]
I'm using this in my ASA firewall to allow all possible ports that I thought Veeam would need. It allows me to add the server and connect to it, but the above error occurs after about 5 minutes. An 8mb file is created on the target vmware server.
access-list outside_in extended permit tcp any host 1.2.3.4 eq ssh
access-list outside_in extended permit tcp any host 1.2.3.4 eq netbios-ssn
access-list outside_in extended permit udp any host 1.2.3.4 eq netbios-ns
access-list outside_in extended permit udp any host 1.2.3.4 eq netbios-dgm
access-list outside_in extended permit tcp any host 1.2.3.4 eq 445
access-list outside_in extended permit tcp any host 1.2.3.4 eq 135
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2500
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2501
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2502
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2503
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2504
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2505
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2506
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2507
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2508
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2509
access-list outside_in extended permit tcp any host 1.2.3.4 eq 2510
access-list outside_in extended permit tcp any host 1.2.3.4 eq https
access-list outside_in extended permit udp any host 1.2.3.4 eq 2500
access-list outside_in extended permit udp any host 1.2.3.4 eq 2501
access-list outside_in extended permit udp any host 1.2.3.4 eq 2502
access-list outside_in extended permit udp any host 1.2.3.4 eq 2503
access-list outside_in extended permit udp any host 1.2.3.4 eq 2504
access-list outside_in extended permit udp any host 1.2.3.4 eq 2505
access-list outside_in extended permit udp any host 1.2.3.4 eq 2506
access-list outside_in extended permit udp any host 1.2.3.4 eq 2507
access-list outside_in extended permit udp any host 1.2.3.4 eq 2508
access-list outside_in extended permit udp any host 1.2.3.4 eq 2509
access-list outside_in extended permit udp any host 1.2.3.4 eq 2510
static (inside,outside) 1.2.3.4 10.1.0.51 netmask 255.255.255.255
Anyone see if I have anything missing from the ports list? I didn't think UDP was required but I added for testing to see if it helped, and it didn't.
-
csanburn
- Novice
- Posts: 8
- Liked: never
- Joined: Nov 05, 2009 3:28 pm
- Full Name: Chris Sanburn
- Contact:
-
ebernard
- Influencer
- Posts: 10
- Liked: never
- Joined: Jan 01, 2006 1:01 am
- Full Name: Emmanuel Bernard
- Location: France
- Contact:
Re: Veeam firewall requirements
Csanburn,
It seems that required ports are open: 22, 443, and at least 2500 (for one concurrent job).
Have you tried to open a ssh session or on 2500 port within veam backup installation using putty for example?
Please,do it and tell us result, it's just to check if you get same error message?
Thanks
Emmanuel
It seems that required ports are open: 22, 443, and at least 2500 (for one concurrent job).
Have you tried to open a ssh session or on 2500 port within veam backup installation using putty for example?
Please,do it and tell us result, it's just to check if you get same error message?
Thanks
Emmanuel
-
csanburn
- Novice
- Posts: 8
- Liked: never
- Joined: Nov 05, 2009 3:28 pm
- Full Name: Chris Sanburn
- Contact:
Re: Veeam firewall requirements
I was able to open an ssh session with port 22 to my target ESX server. If I understood correctly I was to use putty to try and open an ssh session using port 2500 as well, which I tried and got a connection refused message.
PuTTY Fatal Error
Network error: Connection refused
But I also get that error when trying to ssh to port 2500 from the local network. where a replication job works fine.
And an esxcfg-firewall -q gave this:
Chain INPUT (policy ACCEPT 99275 packets, 98M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 94086 packets, 97M bytes)
pkts bytes target prot opt in out source destination
Neither incoming nor outgoing blocked by default
Enabled services: CIMSLP VCB swISCSIClient CIMHttpsServer vpxHeartbeats sshServer webAccess CIMHttpServer
Opened ports:
FastSCP : port 2500:2550 tcp.in tcp.out
FastSCP : port 2500:2510 tcp.in tcp.out
veeamAgent : port 2501 tcp.out
Added Iprules:
PuTTY Fatal Error
Network error: Connection refused
But I also get that error when trying to ssh to port 2500 from the local network. where a replication job works fine.
And an esxcfg-firewall -q gave this:
Chain INPUT (policy ACCEPT 99275 packets, 98M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 94086 packets, 97M bytes)
pkts bytes target prot opt in out source destination
Neither incoming nor outgoing blocked by default
Enabled services: CIMSLP VCB swISCSIClient CIMHttpsServer vpxHeartbeats sshServer webAccess CIMHttpServer
Opened ports:
FastSCP : port 2500:2550 tcp.in tcp.out
FastSCP : port 2500:2510 tcp.in tcp.out
veeamAgent : port 2501 tcp.out
Added Iprules:
-
csanburn
- Novice
- Posts: 8
- Liked: never
- Joined: Nov 05, 2009 3:28 pm
- Full Name: Chris Sanburn
- Contact:
Re: Veeam firewall requirements
Well, unless I can find something else to try and get this to work it looks like the boss is wanting to try another backup solution. Neither Veeam tech support or our vendors tech support has been able to find a solution.
Who is online
Users browsing this forum: Egor Yakovlev, Semrush [Bot], Stabz and 150 guests