Remote Agent for Linux or Unix Servers (RALUS) backup job fails with "V-79-57344-65072 - A communications failure has occurred" if "Firewall" is enabled on the remote UNIX\Linux server
Problem
Backup Exec for Windows Servers Remote Agent for Linux or Unix Servers (RALUS) backup job fails with the following error "A communications failure has occurred" if the "Firewall" is enabled on the remote UNIX\Linux server in Backup Exec for Windows Servers.
Error Message
Final error: 0xe000fe30 - V-79-57344-65072 - A communications failure has occurred.
Final error: 0xe000ff11 - V-79-57344-65297 - A communications failure has occurred with a Linux or Unix resource.
Error traced in SGMON:Control connection is successfully established at NDMP port 10000 as shown below:
bengine: [4320] 07/15/06 12:36:46 ndmpConnect : Control Connection information : connection established between IP 10.xxx.xxx.xxx, port 5796 and IP 10.xxx.xxx.xxx, port 10000 bengine: [4320] 07/15/06 12:36:46 NDMP version 3 connection CONNECTED
Data connection fails to establish at a dynamic tcp port as shown below:
TF_InitMediaServerReverseConnection: ERROR: Could not establish connection to the remote agent
- or -
TF_InitMediaServerReverseConnection: Data Connection: Failed to connect to remote address 10.xxx.xxx.xxx:32820, system error message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Cause
With the introduction of RALUS, Backup Exec is using the well known NDMP Port 10000 for Unix & Linux backup communications. Therefore, it's important to note that for successful backup communication we must have the following ports opened.
Solution
Port 10000 (NDMP Control Port)
Range of Dynamic ports. (Example: Dynamic Data Port range : 1025-65535)
This is the full available range but administrators can decide and have a specific range opened at the Firewall.
Note: Veritas recommends having port 10000 open and available on the Backup Exec media server as well as on the remote systems. In addition, opening the dynamic port ranges as mentioned above is specified for communications between the media server and remote agents. Therefore, it is important to understand that it's the combination of two ports (Control + Data) that makes the data a successful data backup.
Communication between the media server and the Remote Agent will usually require up to 2 ports on the remote agent side per backup operation. To support multiple backups and restores occurring simultaneously, the firewall must be configured to allow a range of ports.
Important:
In most cases, it has been observed that customers have opened only one port, i.e NDMP port 10000 on the Firewall, on data communications, which is not the correct setting, because NDMP port 10000 only establishes the "Control" connection with the remote UNIX\Linux system, but the data connection requires another (Dynamic) port to be opened at the Firewall otherwise the backup will fail. One such example of a "Firewall" setting is given below.
Figure 2:
As seen in the Figure above, all the dynamic port range is blocked "Except" NDMP port 10000. With this setting, customers can view and browse remote UNIX\Linux resources but they can not backup the data as all the other dynamic data port range has been blocked.
To resolve this issue, make sure "Firewall" is not enabled on the other side, and if the firewall is enabled, then make sure a certain dynamic port range is opened for data communications to take place.
Note: Iptables are the firewall and packet filtering tool in the Linux 2.4 kernel and beyond. For UNIX servers, please refer to the UNIX manual.
1. To check if the firewall is enabled on the remote Linux (RedHat) server, type the following command.
iptables -L
2. Using iptables open the range of ports for data communications to take place. In this example, we have opened the "dynamic port range" from 32821-to-32829 after reading the SGMON log as shown in Figure 3 below.
Figure 3:
This range may differ from one system to another. The important thing here is to have a certain range of ports free so that data transfer can take place.
For details on the use of "iptables", please see the article given in the Related Documents section.
3. To define the range of ports for the media server and remote agent we must use, click on link below. Restart the firewall if necessary.
Note:
Always check if the version of Linux is included in the Software Compatibility List ( SCL ).