vSphere Replication Remote VR Connection shows "Not Connected" due to firewall blocking TCP ports between sites

Products

VMware vCenter Server

Issue/Introduction

In a vSphere Replication environment configured between a primary data center (DC) and a disaster recovery (DR) site, the Remote VR Connection status displays "Not Connected" in the VMware vCenter Server UI.

Replication tasks for virtual machines may appear to be running or may have been working previously, but the site-to-site connectivity status is down. The issue may recur after reconfiguring the replication setup.

When validating network connectivity from the vSphere Replication Management Server (VRMS) appliances:

From the DC VRMS to the DR site: curl tests on ports 443 and 8043 show "Connected." DNS resolution and ping succeed.
From the DR VRMS to the DC site: DNS resolves, ping succeeds with 0% packet loss, but curl tests on ports 443 (to vCenter) and 8043 (to VRMS) hang at "Trying..." with no "Connected" response.

This pattern indicates ICMP traffic passes in both directions, but TCP connections on the required vSphere Replication ports are blocked in one direction.

Environment

VMware vSphere Replication
VMware vCenter Server

Cause

A firewall, access control list (ACL), or network security policy between the DC and DR sites is blocking TCP traffic on ports 443 and/or 8043 in one or both directions. ICMP (ping) is permitted, which can give a false impression of full connectivity. vSphere Replication requires bidirectional TCP communication on these ports to maintain site pairing and the Remote VR Connection status.

Resolution

Step 1 — Validate bidirectional network connectivity

SSH into each VRMS appliance and run the following tests to confirm which direction and ports are blocked.

From the DR VRMS appliance:

curl -v telnet://<DC-vCenter-FQDN>:443
curl -v telnet://<DC-VRMS-FQDN>:8043
nslookup <DC-vCenter-FQDN>
nslookup <DC-VRMS-FQDN>
ping -c 4 <DC-vCenter-FQDN>
ping -c 4 <DC-VRMS-FQDN>

From the DC VRMS appliance (reverse direction):

curl -v telnet://<DR-vCenter-FQDN>:443
curl -v telnet://<DR-VRMS-FQDN>:8043
nslookup <DR-vCenter-FQDN>
nslookup <DR-VRMS-FQDN>
ping -c 4 <DR-vCenter-FQDN>
ping -c 4 <DR-VRMS-FQDN>

If curl hangs at "Trying..." in one direction while succeeding in the other, a firewall is blocking TCP on those ports unidirectionally.

If ping replies successfully but curl hangs or times out, this confirms that Layer 3 (IP) routing between the sites is functional. ICMP traffic is passing, meaning the hosts can reach each other at the network level. However, a stateful firewall, ACL, or security policy is selectively dropping TCP SYN packets on the specific ports (443 and/or 8043). This is a common firewall behavior where ICMP is permitted but TCP connections on certain ports are not, and it rules out DNS or routing issues as the cause.

Step 2 — Open required ports bidirectionally

Work with the network or firewall team to ensure the following TCP ports are open bidirectionally between the DC and DR VRMS/vCenter subnets:

TCP 443 — Communication between VRMS and vCenter Server (Lookup Service)
TCP 8043 — Communication between VRMS appliances for site pairing

For a complete list of required ports, see: vSphere Replication Management Server could not establish connection to vSphere Replication Server at '##.##.##.##:443.

Step 3 — Verify the fix

After the firewall rules are updated, re-run the curl tests from Step 1 to confirm "Connected" is returned on both ports in both directions. Verify the Remote VR Connection status returns to "Connected" in the vCenter UI.

If the error persists after following these steps, contact Broadcom Support for further assistance.

Provide the following information when opening a support request:

Output of the bidirectional curl, nslookup, and ping tests from both VRMS appliances
Screenshots of the Remote VR Connection status in the vCenter UI
VRMS support bundles from both sites