When attempting to back up a new DMZ ESXi host, the backup process fails. This occurs because the backup appliance or proxy cannot establish a connection with the ESXi host for Network File Copy (NFC) or VIX operations.

Symptoms include:

• Backup jobs for specific DMZ hosts failing consistently.

• Connection timeouts or "failed response" errors when the backup appliance attempts to reach the ESXi host.

• Error Message on Backup Appliance - Encountered non-retriable error while querying allocated disk blocks: [kVixError]: [1-4-212] [Code 14009] The server refused connection.

[support@backup-appliance ~]> nping ##.##.##.## -p 902
SENT (0.0014s) Starting TCP Handshake > ##.##.##.##:902
...
TCP connection attempts: 5 | Successful connections: 0 | Failed: 5 (100.00%)

• VMware ESXi 7.x, 8.x, 9.x

• Component: Network File Copy (NFC) / VIX API

The issue is caused by a network firewall or security rule blocking TCP port 902 between the backup appliance/proxy and the ESXi host. Port 902 is mandatory for the vCenter Server and backup agents to communicate with ESXi hosts for data transfer and management tasks.

To resolve this issue, you must ensure that the necessary network ports are open to allow traffic between the backup infrastructure and the ESXi hosts.

1. Coordinate with your Network Security Team to permit TCP port 902 between the backup appliance/proxy and the DMZ ESXi host.

2. Verify the Network Path to ensure no intermediate firewalls or Access Control Lists (ACLs) are dropping traffic on this port.

3. Test Connectivity from the backup appliance command line to the ESXi host using the following command:

   • nc -zv <ESXi_IP_Address> 902

   • A successful result should indicate that the connection to the port is open.

4. Retry the Backup Job once connectivity is confirmed.

Port requirements for VMware vSphere ESXi