ESXi backup fails with VDDK Error 14009: Port 902 blocked to DMZ host
search cancel

ESXi backup fails with VDDK Error 14009: Port 902 blocked to DMZ host

book

Article ID: 433811

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

When attempting to back up a new DMZ ESXi host, the backup process fails. This occurs because the backup appliance or proxy cannot establish a connection with the ESXi host for Network File Copy (NFC) or VIX operations.

Symptoms include:

  • Backup jobs for specific DMZ hosts failing consistently.

  • Connection timeouts or "failed response" errors when the backup appliance attempts to reach the ESXi host.

  • Error Message on Backup Appliance -

    Example 1 : Encountered non-retriable error while querying allocated disk blocks: [kVixError]: [1-4-212] [Code 14009] The server refused connection.

[support@backup-appliance ~]> nping ##.##.##.## -p 902
SENT (0.0014s) Starting TCP Handshake > ##.##.##.##:902
...
TCP connection attempts: 5 | Successful connections: 0 | Failed: 5 (100.00%)

Example 2 : Error opening the disks for virtual machine [VM_NAME] Verify that the correct transport mode is selected. Access node [######] is unable to communicate with port 902 on host [#.#.#.#] for nbd access.

 

Environment

 

  • VMware ESXi 7.x, 8.x, 9.x

  • Component: Network File Copy (NFC) / VIX API

 

Cause

The issue is caused by a network firewall or security rule blocking TCP port 902 between the backup appliance/proxy and the ESXi host. Port 902 is mandatory for the vCenter Server and backup agents to communicate with ESXi hosts for data transfer and management tasks.

In some cases the ESXi IP address misconfiguration will also lead to routing inconsistencies, preventing the backup server and host from establishing a handshake on port 902.

Example : 

Working Host Subnet mask is 255.255.255.0 | VM's backups are working fine.

Non-Working Host : Subnet mask was erroneously set to 255.255.0.0 | VM's backup is not working. 

Resolution

To resolve this issue, you must ensure that the necessary network ports are open to allow traffic between the backup infrastructure and the ESXi hosts.

  1. Coordinate with your Network Security Team to permit TCP port 902 between the backup appliance/proxy and the DMZ ESXi host. Also ensure there is no IP address or subnet mask is inconsistencies between working and non working ESXi host. 

  2. Verify the Network Path to ensure no intermediate firewalls or Access Control Lists (ACLs) are dropping traffic on this port.

  3. Test Connectivity from the backup appliance command line to the ESXi host using the following command:

    • nc -zv <ESXi_IP_Address> 902

    • A successful result should indicate that the connection to the port is open.

  4. Retry the Backup Job once connectivity is confirmed.

Additional Information

Port requirements for VMware vSphere ESXi

Powered by Wolken Software