Veeam SureBackups and NFS Datastore Mounts Fail Following ESXi Upgrade
search cancel

Veeam SureBackups and NFS Datastore Mounts Fail Following ESXi Upgrade

book

Article ID: 431442

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Following an ESXi upgrade, Veeam SureBackups and NFS datastore mounts from ESXi hosts may fail. This issue typically manifests as a connectivity failure specifically over TCP Port 111, which is required for NFS mounting processes between the ESXi hosts and the Veeam Proxy Server.

Symptoms include:

  • Failure of Veeam SureBackup jobs.

  • Inability to mount vPower NFS datastores from ESXi hosts.

  • Connection timeout errors when attempting to reach the Veeam Proxy Server from the ESXi management network (vmk0).

  • Packet captures showing TCP SYN packets reaching the destination guest VM's vNIC, but no return traffic (TX) from the guest OS.

Checking the vobd logs shows below error message : 

" NFS mount failed for x.x.x.x:/VeeamBackup_###-##-PROXY.########_ volume  VeeamBackup_###-##-PROXY.########_ . Status: Unable to connect to NFS server. "

" Failed to add NFS datastore for NFS host 'x.x.x.x'. Failed to mount NFS volume x.x.x.x:/VeeamBackup_###-##-PROXY.########_). Fault "PlatformConfigFaultFault", detail "Operation failed, diagnostics report: Mount failed: Unable to complete Sysinfo operation. Please see the VMkernel log file for more details.: Unable to connect to NFS server: VSI node (5001:) " 

Environment

VMware ESXi 8.x

Cause

The SentinelOne endpoint protection/firewall service running on the Veeam Proxy Server guest OS silently drops incoming traffic on TCP Port 111 originating from the ESXi hosts. While the port may appear open to other network devices, the security software identifies and blocks the specific connection attempt from the ESXi management interface.

Resolution

This is a configuration issue within the third-party security software.

Follow these steps to resolve the block:

  1. Engage Security Team: Coordinate with your SentinelOne Endpoint/Firewall team to review the security logs on the Veeam Proxy Server and identify the specific block rule triggering on TCP Port 111.

  2. Verify Block: To confirm SentinelOne is the culprit, temporarily disable the SentinelOne service/agent on the proxy VM and re-test the mount.

  3. Alternative Isolation: If disabling the service does not immediately resolve the issue, uninstall the endpoint agent entirely to ensure all kernel-level drivers/firewall hooks are removed for testing purposes.

  4. Permanent Fix: Once confirmed, create an explicit firewall allow rule or exclusion within the SentinelOne management console for:

    • Protocol: TCP

    • Port: 111

    • Source: ESXi Management IP addresses (vmk0)

    • Destination: Veeam Proxy Server IP

  5. Verify connectivity from the ESXi host CLI using: nc -zv <Veeam_Proxy_IP> 111

Additional Information

Packet capture on ESXi using the pktcap-uw tool

Powered by Wolken Software