Discussions specific to the VMware vSphere hypervisor
Post Reply
VeeBR
Influencer
Posts: 11
Liked: never
Joined: Nov 01, 2018 1:30 am
Contact:

Do I need a Gateway server to better manage VMs backups in two different subnets?

Post by VeeBR »

For security purposes, we needed to move and rearrange our vsphere vms into two subnets. We created a new vCenter on a new subnet (call it subnet2) and moved some of the VMs into it. We also moved the physical Veeam B&R server to the new subnet: subnet2.
Now we have a vCenter with 20 vms in the original subnet (call it subnet1), a vCenter with 5 vms on the new subnet2 and veeam B&R on subnet2.

On the first backup run, only 2 out of 20 VMs in subnet1 backed up successfully, all VMs on subnet 2 got backed up successfully.
I realized and opened ports 2500 - 2510 in the Veeam B&R server: Which was not needed before as everything was in the same subnet. Since opening the ports in the Veeam B&R server all VMs in subnet1 are also backing up successfully.

Would I need a Gateway server on the subnet1 in order to enhance my backup infrastructure? Would it make any difference on backup speed or management?

foggy
Veeam Software
Posts: 19285
Liked: 1743 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Do I need a Gateway server to better manage VMs backups in two different subnets?

Post by foggy »

Gateway servers are not required, but I'd place a proxy server under the new vCenter to allow VMs backup via hotadd.

VeeBR
Influencer
Posts: 11
Liked: never
Joined: Nov 01, 2018 1:30 am
Contact:

Re: Do I need a Gateway server to better manage VMs backups in two different subnets?

Post by VeeBR »

The Failed jobs have these errors below. Thank you for your advise on proxy server on Subnet2 where the Veeam B&R server is. I will try that next and hope these errors go away.
Currently my Veeam backup job runs but succeeds/fails on random VMs on the subnet1. I have upgraded Veeam B&R from 9.5 to 10 but this condition persists.

Code: Select all

5/25/2020 1:14:39 PM :: Getting VM info from vSphere
  
5/25/2020 1:20:27 PM :: Error: Cannot get service content.
Soap fault. TimeoutDetail: 'connect failed in tcp_connect()', endpoint: 'https://myvcsa.myserver.net:443/sdk'
SOAP connection is not available. Connection ID: [myvcsa.myserver.net].
Failed to create NFC download stream. NFC path: [nfc://conn:myvcsa.myserver.net,nfchost:host-1186,stg:datastore-1188@MyVm/MyVmtemp.vmx].

veremin
Product Manager
Posts: 17777
Liked: 1628 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Do I need a Gateway server to better manage VMs backups in two different subnets?

Post by veremin »

Kindly, reach our support team for further assistance, since log investigation is required. Thanks!

PetrM
Veeam Software
Posts: 584
Liked: 78 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: Do I need a Gateway server to better manage VMs backups in two different subnets?

Post by PetrM »

Hello,

Please don't forget to paste your case id for our reference.

I would also recommend to analyze network traffic dump, looks like the issue is related to a network timeout when the Backup server tries to reach the vCenter server.
And take a look at this KB, just in case.

Thanks!

VeeBR
Influencer
Posts: 11
Liked: never
Joined: Nov 01, 2018 1:30 am
Contact:

Re: Do I need a Gateway server to better manage VMs backups in two different subnets?

Post by VeeBR »

After going thru this KB: https://helpcenter.veeam.com/archive/ba ... tml#backup I ran the following commands to allow the ports mentioned in the KB. The Timeout and SOAP errors went away and the VMs backups ran successfully, however it seems a little slower than when B&R server, the vCenters, ESXi Hosts and VMs were in the same subnet. I do not know which one of these rules helped with the Timeout and SOAP issues yet.

Code: Select all

Commands to allow inbound localports on Veeam B&R server:
netsh advfirewall firewall add rule name="Veeam B&R 902" dir=in action=allow protocol=TCP localport=902
netsh advfirewall firewall add rule name="Veeam B&R 6162" dir=in action=allow protocol=TCP localport=6162
netsh advfirewall firewall add rule name="Veeam B&R 9501" dir=in action=allow protocol=TCP localport=9501
netsh advfirewall firewall add rule name="Veeam B&R 2500-5000" dir=in action=allow protocol=TCP localport=2500-5000
netsh advfirewall firewall add rule name="Veeam B&R 49152-65535" dir=in action=allow protocol=TCP localport=49152-65535

Commands to allow outbound localports on Veeam B&R server:
netsh advfirewall firewall add rule name="Veeam B&R 135 TCP for Deploying Veeam Components" dir=out action=allow protocol=TCP localport=135
netsh advfirewall firewall add rule name="Veeam B&R 137-139 for Deploying Veeam Components" dir=out action=allow protocol=TCP localport=137-139
netsh advfirewall firewall add rule name="Veeam B&R 445 TCP for Deploying Veeam Components" dir=out action=allow protocol=TCP localport=445
netsh advfirewall firewall add rule name="Veeam B&R 135 UDP for Deploying Veeam Components" dir=out action=allow protocol=UDP localport=135
netsh advfirewall firewall add rule name="Veeam B&R 137-139 for Deploying Veeam Components" dir=out action=allow protocol=UDP localport=137-139
netsh advfirewall firewall add rule name="Veeam B&R 445 UDP for Deploying Veeam Components" dir=out action=allow protocol=UDP localport=445
netsh advfirewall firewall add rule name="Veeam B&R 443 for Connections to vCenter Servers" dir=out action=allow protocol=TCP localport=443
netsh advfirewall firewall add rule name="Veeam B&R 10443 for Comm with vCenter Servers" dir=out action=allow protocol=TCP localport=10443
netsh advfirewall firewall add rule name="Veeam B&R 902 for Data transfer to esxi hosts" dir=out action=allow protocol=TCP localport=902
netsh advfirewall firewall add rule name="Veeam B&R 53  for DNS Server" dir=out action=allow protocol=UDP localport=53
netsh advfirewall firewall add rule name="Veeam B&R 80 for connecting to dev.veeam.com" dir=out action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name="Veeam B&R 2500-5000 for Veeam Data Transmission Channels" dir=out action=allow protocol=TCP localport=2500-5000
netsh advfirewall firewall add rule name="Veeam B&R 49152-65535 for Dynamic RPC" dir=out action=allow protocol=TCP localport=49152-65535
netsh advfirewall firewall add rule name="Veeam B&R 6162 for Veeam Data Mover Svc" dir=out action=allow protocol=TCP localport=6162
netsh advfirewall firewall add rule name="Veeam B&R 6160 for Veeam Installer Svc" dir=out action=allow protocol=TCP localport=6160
netsh advfirewall firewall add rule name="Veeam B&R 6166 for Tape Server" dir=out action=allow protocol=TCP localport=6166
netsh advfirewall firewall add rule name="Veeam B&R 5392 for Nimble Storage" dir=out action=allow protocol=TCP localport=5392
netsh advfirewall firewall add rule name="Veeam B&R 9501 for local server comm between Broker Service & services " dir=out action=allow protocol=TCP localport=9501


I am going to see if allowing these ports on the VMs would improve the backup speed

netsh advfirewall firewall add rule name="Veeam B&R 135 TCP for Deploying Veeam Components" dir=in action=allow protocol=TCP localport=135
netsh advfirewall firewall add rule name="Veeam B&R 137-139 TCP for Deploying Veeam Components" dir=in action=allow protocol=TCP localport=137-139
netsh advfirewall firewall add rule name="Veeam B&R 445 TCP for Deploying Veeam Components" dir=in action=allow protocol=TCP localport=445
netsh advfirewall firewall add rule name="Veeam B&R 137-139 UDP for Deploying Veeam Components" dir=in action=allow protocol=UDP localport=137-139
netsh advfirewall firewall add rule name="Veeam B&R 135 UDP for Deploying Veeam Components" dir=in action=allow protocol=UDP localport=135
netsh advfirewall firewall add rule name="Veeam B&R 445 UDP for Deploying Veeam Components" dir=in action=allow protocol=UDP localport=445
netsh advfirewall firewall add rule name="Veeam B&R 6160 for Veeam Installer Svc" dir=in action=allow protocol=TCP localport=6160
netsh advfirewall firewall add rule name="Veeam B&R 6162 for Veeam Data Mover Svc" dir=in action=allow protocol=TCP localport=6162
netsh advfirewall firewall add rule name="Veeam B&R 2500-5000 for Veeam Data Transmission Channels" dir=in action=allow protocol=TCP localport=2500-5000
netsh advfirewall firewall add rule name="Veeam B&R 49152 to 65535 for Dynamic RPC" dir=in action=allow protocol=TCP localport=49152-65535
netsh advfirewall firewall add rule name="Veeam B&R 6167 for runtime process on the VM guest OS" dir=in action=allow protocol=TCP localport=6167

PetrM
Veeam Software
Posts: 584
Liked: 78 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: Do I need a Gateway server to better manage VMs backups in two different subnets?

Post by PetrM »

Hello,

It's difficult to say which of the rules above helped you to workaround the issue with SOAP and other connectivity errors without clear understanding of the initial root cause.
I suppose these are inbound and outbound rules for 443 and 902 ports but it's only my supposition and logs analysis is required in order to get an exact answer, it's worth asking our support team.

Opening ports on VMs cannot increase or decrease job performance, data processing stages are: reading data from source, data transfer between Data Movers and writing data to the repository.
The basic backup architecture is described on this help center page. I would recommend to look at the "bottleneck" which is shown in job statistics to identify a source of problem.

Thanks!

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 22 guests