Remote Agent for Linux or Unix Servers (RALUS) backup job fails with "A communications failure has occurred" if the "Firewall" is enabled on the remote UNIX\Linux server

Article:TECH48490  |  Created: 2006-01-15  |  Updated: 2013-03-25  |  Article URL http://www.symantec.com/docs/TECH48490
Article Type
Technical Solution

Product(s)

Issue



Backup Exec for Windows Servers Remote Agent for Linux or Unix Servers (RALUS) backup job fails with the following error "A communications failure has occurred" if the "Firewall" is enabled on the remote UNIX\Linux server in Backup Exec for Windows Servers.


Error



Final error: 0xe000fe30 - A communications failure has occurred. Or,

Error : e000ff11 - A communications failure has occurred with a Linux or Unix resource.

 

Error traced in SGMON:

Control connection is successfully established at NDMP port 10000 as shown below:
bengine: [4320] 07/15/06 12:36:46 ndmpConnect : Control Connection information : connection established between IP 10.xxx.xxx.xxx, port 5796 and IP 10.xxx.xxx.xxx, port 10000 bengine: [4320] 07/15/06 12:36:46 NDMP version 3 connection CONNECTED

Data connection fails to establish at dynamic tcp port as shown below:
TF_InitMediaServerReverseConnection: Data Connection: Failed to connect to remote address 10.xxx.xxx.xxx:32820, system error message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

 


Cause



With the introduction of RALUS, Backup Exec is using well known NDMP Port 10000 for Unix & Linux backup communications. Therefore its important to note that for a successful backup communication we must have following ports opened.

 


Solution



For Successful Backup following ports needs to be opened at Firewall:

Port 10000   (NDMP Control Port)
Range of Dynamic ports. (Example: Dynamic Data Port range : 1025-65535)

This is the full available range but administrators can decide and have specific range opened at the Firewall.

Note: Symantec recommends having port 10000 open and available on the Backup Exec media server as well as on the remote systems. In addition, open the dynamic port ranges as mentioned above specified for communications between the media server and remote agents, therefore it is important to understand that its the combination of two ports (Control + Data) that makes the data successful data backups.

Communication between the media server and the Remote Agent will usually require up to 2 ports on the remote agent side per backup operation. To support multiple backups and restores occurring simultaneously, the firewall must be configured to allow a range of ports.


Important:

In most cases it has been observed that customers have opened only one port i.e NDMP port 10000 at the Firewall for data communications which is not the correct setting because NDMP port 10000 only establishes the "Control" connection with the remote UNIX\Linux system but the data connection requires another (Dynamic) port to be opened at the Firewall otherwise the backup will fail. One such example of "Firewall" setting is given below.


Figure 2:
 


As seen in the Figure above,  all the Dynamic port range is blocked "Except" NDMP port 10000. With this setting customers can view and browse remote UNIX\Linux resources but they can not backup the data as all the other dynamic data port range has been blocked.


To resolve this issue, make sure "Firewall" is not enabled on the other side, and if the firewall is enabled then make sure certain dynamic port range is opened for data communications to take place.

Note: Iptables is the firewall and packet filtering tool in the Linux 2.4 kernel and beyond. For UNIX servers please refer to the UNIX manual.

1.  To check if the firewall is enabled on the remote Linux (RedHat) server type the following command.

iptables -L

2. Using iptables open the range of ports for data communications to take place, in this example we have opened the "dynamic port range" from 32821-to-32829 after reading the SGMON log as shown in the Figure 3 below.

Figure 3:
 

This range may differ from one system to another, important thing here is to have a certain range of ports free so that data transfer can take place.

For details on the use of "iptables" please see the article given in the Related Documents section.

3. To define the range of ports for media server and remote agent must use, click below. Restart firewall if necessary.
 
www.symantec.com/docs/TECH43579



NOTE:

Always check if the version of Linux is included in the Software Compatibility List ( SCL ).

Supplemental Materials

Value0xe000fe30
Description

A communications failure has occurred.


ValueV-79-57344-65297
Description

A communications failure has occurred.


ValueV-79-57344-65297
Description

The Linux or Unix resource is not responding. Backup set canceled.



Legacy ID



284320


Article URL http://www.symantec.com/docs/TECH48490


Terms of use for this information are found in Legal Notices