Veeam Backup & Replication (VBR) Fails to Connect to ESXi Host on ports 902
search cancel

Veeam Backup & Replication (VBR) Fails to Connect to ESXi Host on ports 902

book

Article ID: 421858

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Veeam Backup & Replication (VBR) is unable to connect to an ESXi host, and the connection fails specifically on port 902. This prevents backup and replication jobs from executing successfully for VMs residing on that host.

Environment

VMware vCenter Server 
VMware vSphere ESXi

Cause

The connection failure on port 902 is almost always due to a network connectivity issue or a firewall blocking the required traffic.

  • Port 902 Function: This port is the default TCP/UDP port for VMware Remote Console (VMRC) and is critical for VBR to communicate directly with the ESXi host's hostd service during VM data retrieval and other operations.

  • Common Blockers:

    • External Network Firewalls (Hardware, Virtual, or Cloud Security Groups).

    • Internal ESXi Host Firewall blocking the VBR component's IP address.

Resolution

The primary resolution is to ensure TCP traffic on port 902 is explicitly allowed and unrestricted between the Veeam Backup & Replication components and the target ESXi host.

1. Verify Port Connectivity using Telnet

Use the Windows Command Prompt (CMD) on the VBR server or Backup Proxy to test if the port is open:

  • Command Prompt Syntax:

    telnet <ESXi_Host_IP_Address> 902

  • If the port is open, the screen will go black, or you will receive a response similar to: 220 VMware Authentication Daemon...

    • Note: You may need to enable the Telnet Client feature in Windows first.

  • If the port is blocked, the output will likely be: Could not open connection to the host, on port 902: Connect failed

2. Check and Configure External Firewalls (Primary Step)

This is the most likely area of blockage, especially if the ESXi host's local firewall is disabled or correctly configured.

  • Review all network hardware and cloud security rules (e.g., Cisco ACLs, Azure Network Security Groups, AWS Security Groups) located between the VBR components and the ESXi host.

  • Create or modify firewall rules to explicitly ALLOW the following traffic:

    • Protocol: TCP and UDP

    • Port: 902

    • Source IPs: IP address(es) of the VBR Server and all Backup Proxies.

    • Destination IP: IP address of the ESXi Host.

Powered by Wolken Software