Virtual machines (VMs) residing in a specific cluster are unable to perform image backups using Commvault. While backups for VMs in other clusters function normally, attempts to back up VMs in the affected cluster result in connection failures.

VMware vCenter Server 8.x

The root cause is a network communication failure where TCP port 902 is blocked between the vCenter Server/Backup proxy and the ESXi hosts in the affected cluster. This typically happens due to missing or incorrect Access Control Lists (ACLs) in the physical network infrastructure, especially following environment changes such as vCenter migration between racks or hardware generations.

To resolve this issue, you must ensure that port 902 is open and reachable between your management components and the ESXi hosts.

Verify Connectivity: Log in to an ESXi host in the affected cluster or a jump box on the same management segment and run the following command to test the port status:
nc -vz <HostFQDN> 902

Engage Networking Team:
Request your network or security team to investigate the firewall or router ACLs for the specific rack or subnet where the affected ESXi hosts reside.

Update ACLs:
Ensure that ACL configurations are updated to allow vCenter connectivity to the ESXi VMkernel interfaces (vmk) on port 902.

Port 902 is critical for VMware operations. According to TCP and UDP ports required to access VMware, port 902 must not be blocked between the vCenter Server and the hosts, as it is used for NFC traffic (backups) and displaying virtual machine consoles.

TCP and UDP Ports required to access VMware vCenter Server, VMware ESXi and more