Rubrik backup appliances encounter "Connection Refused" or "Connection Timed Out" errors when attempting to communicate with ESXi hosts. This prevents data retrieval during backup jobs.

• Connectivity tests using nc -zv <ESXi Host IP / FQDN> 902 confirm that the management port is unreachable from the backup subnet
  
  
• vpxa service and ESXi firewall rules being active on the ESXi hosts

VMware vSphere ESXi 

VMware vCenter Server

A network-layer block or Access Control List (ACL) modification in the physical network infrastructure prevents TCP Port 902 traffic between the Rubrik appliance and the ESXi management interfaces.

1. Verify the current network path and identify upstream physical firewalls or routers between the backup appliance and ESXi management network.
2. Audit physical firewall logs for dropped packets originating from the Rubrik appliance IPs targeting ESXi management IPs on Port 902.
3. Ensure TCP Port 902 is bi-directionally open to allow NBD/NBDSSL transport traffic.
4. Once the network team applies the necessary ACL or firewall updates, validate connectivity from the Rubrik appliance using: nc -zv <ESXi_IP_ADDRESS> 902
5. Rerun the impacted backup jobs to confirm resolution.

TCP and UDP Ports required to access VMware vCenter Server, VMware ESXi and more