Secure channel communications stop working after disabling TLS 1.0/1.1

December 26, 2018, 10:11 am

Challenge

After disabling TLS 1.0/1.1, Veeam functionality which utilizes the SCHANNEL security provider, such as license auto-update, license usage reporting and Veeam explorers with remote mounts stop working.
You can see the following error in the Svc.VeeamBackup.log log file and/or in the pop-up error window.
The client and server cannot communicate, because they do not possess a common algorithm

Cause

The currently targeted .NET Framework version, 4.5.2, defaults to TLS 1.0 and doesn’t switch automatically to 1.2 when TLS 1.0/1.1 is disabled.

Solution

The following registry keys will need to be added on machines where TLS 1.0/1.1 has been disabled to force the usage of TLS 1.2.

Locations: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319

Name: SchUseStrongCrypto
Type: DWORD
Value: 1

Name: SystemDefaultTlsVersions
Type: DWORD
Value: 1

A .reg file is provided by Microsoft that will set these keys to their most safe values:
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-security-via-the-windows-registry

More Information

Microsoft .NET Framework Best practices for TLS
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

↧

HCL - QSAN XCubeNAS XN8012R

January 7, 2019, 11:12 am

≫ Next: VMware Cloud on AWS Support. Considerations and Limitations

≪ Previous: Secure channel communications stop working after disabling TLS 1.0/1.1

Challenge

Product Information:

Company name: QSAN Technology, Inc.
Product Family: XCubeNAS XN8000
Status: Veeam Ready - Repository
Classification Description: Verified backup storage that supports all Veeam backup and restore features.

*This Veeam Ready test was performed with an SSD/Flash configuration. As such, this classification only applies to configurations in which the same amount or more SSD drives are used. The use of non-SSD drives may negatively impact performance.

Solution

Product Details:

Model number: XN8012R
Storage Category: Hybrid RAID Storage
Drive quantity, size, type: 4 – 2TB SSD
Storage configuration: RAID5
Firmware version: QSM 3.1.1
Connection protocol and speed: iSCSI, 10 GbE
Additional support: All models and configurations of XCubeNAS XN8000 with specifications equivalent or greater than the above

General product family overview:

QSAN Storage Manager 3 (QSM 3) is a NAS operation system specially designed for QSAN XCubeNAS series. The core of QSM is Linux kernel and in-house fine-tuning 128-bit ZFS. The ZFS has high scalability and can be managed easily, also with the ability to maintain the data integrity. QSM 3 not only inherits the amazing native features of ZFS, its powerful storage features ensure persistent, reliable storage management, protection against data corruption, seamless capacity expansion, several data integrity mechanisms, pool and disk encryption protection, unlimited snapshots, and unlimited clones.

Veeam testing configuration:

Note: The following settings were used by the vendor to meet Veeam Ready testing requirements and should not be considered best practices. Additional changes or settings may be needed to meet the storage efficiency or performance needs for each environment. For each setting, reference links are provided for further clarification.

Veeam Build Number: 9.0.0.1922

Job Settings:

Deduplication:	Enabled (Default)
Compression:	Optimal (Default)
Storage Optimization:	Local Target (Default)

Repository Settings:

Repository Type:	Windows
Align backup file blocks:	Disabled (Default)
Decompress before storing:	Disabled (Default)
Per-VM Backup Files:	Disabled (Default)

Vendor recommended configuration:

Hardware Settings:

Array deduplication used in testing – No
Array compression used in testing – Yes

↧

VMware Cloud on AWS Support. Considerations and Limitations

January 8, 2019, 11:10 pm

≫ Next: Enable SQL Database exclusions from application-aware image processing

≪ Previous: HCL - QSAN XCubeNAS XN8012R

Challenge

VMware Cloud on AWS is a vSphere environment running on AWS hardware, that needs some specific preparation to allow Veeam Backup & Replication v9.5 Update 4 or newer to work with it. Besides the below-listed preparation and limitations, you can interact with it within Backup & Replication like any other vSphere environment to backup, restore and replicate VM workloads.

Some of VMware features and permissions are not granted by default at the start of VMware Cloud on AWS (VMC). Thus, some depending Veeam Backup & Replication features will be limited or not operating. Depending on VMware update releases for VMware Cloud on AWS, the situation may change and the features from the table below may become available. Please contact your VMware administrator for timely update.

Solution

Implementation step 1 - Backup & Replication

Use a new Windows Server and install Veeam Backup & Replication v9.5 Update 4 or newer if you do not have a Veeam Backup Server. The Server can run within any VMware cloud on AWS SDDC, AWS S3 or on-premises environments, if the network connection to the VMC vCenter/Veeam Servers potentially the VMs (for Guest processing) is possible.
Add DNS network settings so that this Server can resolve Internet DNS names to be able to resolve the fully qualified domain name of the VMC vCenter server
Check the below information carefully for any known limitations and configuration steps before you proceed.

Implementation step 2 - VMware Cloud on AWS

Firewall Configuration for vCenter connection

The Veeam Backup and Replication Server and Veeam proxy server should be connected to the VMware vCenter using HTTPS through TCP port 443. At VMware Cloud on AWS there is no need to open ports to the ESXi hosts itself. As the vCenter Server is by design of VMware Cloud on AWS on another network (Management Network), you need to configure one of the following 3 options:

Usage of the vCenter public IP for customers with NSX-v (default)
- Open Port TCP 443 from Backup Server and Proxy Server to the predefined vCenter object on the Compute Network.
- Allow the Compute Gateway Public IP to communicate over TCP 443 with the predefined vCenter object on the Management Network.
Usage of a VPN tunnel for customers with VMware NSX-v
To be able to directly access the vСenter within VMC, please follow the VMC internal guidelines to create a VPN tunnel from the compute network to the management network: https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws.getting-started/GUID-30BED7B3-D312-4DF3-BD7A-66F8D1C619DC.html
Please update your DNS Servers to resolve the FQDN of the vСenter to its private IP address. If you want to use hosts entries on the Veeam Server for it, add them on all Veeam Backup and Proxy Servers.
If your Backup & Replication (Management) Server is outside of the VMC cluster, please implement the same VPN connection for it.
Usage of the local connection for customers with VMware NSX-t
NSX-t allows VMC customers to directly access the management network over the built-in firewall. TCP Port 443 needs to be opened from all Veeam Backup and Veeam Proxy Servers as a Source with the vCenter internal IP as a target.
a) Configure DNS entry of the vCenter for local IP address usage.
Go to your SDDC Management – Settings – vCenter FQDN and select the Private vCenter IP address.
Hint: If you configure the vCenter DNS record for the internal IP address, you will lose VMC connection from Backup and Replication Server outside of VMC. You can use the local hosts file or any other DNS method to resolve the vCenter FQDN with the public IP address on the Veeam Server outside of VMC. Optionally, use the Public IP address for the VMC internal and external Veeam Server.
b) Open firewall ports for vCenter Server access
On the Management Network

On the Compute Gateway

Implementation step 3 - add vCenter

Add vCenter to the Veeam console as described here: https://helpcenter.veeam.com/docs/backup/vsphere/add_vmware_server.html?ver=95

Create a vCenter User with required rights (Active Directory linked mode) described here, or use the cloudadmin@vmc.local user.
When adding a vCenter server, specify the fully qualified domain name (FQDN) that ends with vmwarevmc.com or vmc.vmware.com (depending on the URL shown in the VMC interface for the vCenter).

Implementation step 4 - add Veeam Proxy

For any VMware Cloud on AWS SDDC Cluster, roll out at least one Veeam Proxy Server to be able to process HotAdd / Virtual Appliance Backup Mode. The Backup & Replication itself can be used when installed at the SDDC Cluster (Proxy preinstalled). Please look at the Veeam documentation for details: https://helpcenter.veeam.com/docs/backup/vsphere/add_vmware_proxy.html?ver=95

Implementation step 5 - add Veeam Repository

VMware Cloud on AWS has only one accessible vSAN disk. It would not make sense to use that disk for production workloads and backups. An external Backup device needs to be added. Depending on the use case there are several ways to achieve this with different economic factors. Please find below an example of an Amazon S3 EC2 Linux Server (e.g. EC2 C4 Server with EBS ST1 storage) used as a backup target over the VMware Cloud on AWS integrated ENI network connection:

User-added image

To connect the EC2 Server(s) used as Veeam Repositories the following Firewall configuration is needed:

On the Compute Network:
1. Open TCP 22 (SSH) port from Veeam Backup server and Veeam proxy server to the Amazon VPC where the EC2 Server was installed. You can as well define the exact IP addresses of the repository server as Destination.
2. Open TCP 2500-5000 ports for Veeam Data Transport in both directions for same servers. It is recommended to use the VMware Cloud on AWS integrated high throughput/low latency ENI network connection to avoid any traffic costs.
Open the same ports on the Inbound Firewall of the Amazon EC2 server used as a repository server. As the Firewall Rule Source you should add all Veeam Backup Servers (including Proxy/Repository/MountServer/Console/…) instead of 0.0.0.0/0

Implementation step 6 - add secondary backup target

It is suggested to create a backup copy to an additional place. Depending on the use case there are several ways to achieve this with different economic factors. Among other ways the following technologies can be used:

Veeam Backup Copy Job to a second EC2 Server used as an additional Repository. The second EC2 Server can be placed on another AWS Availability Zone or AWS Geo Location.
AWS Storage Gateway Software in VTL mode can be used to emulate a Tape Library to write data to S3. Veeam Backup to Tape Jobs can be used with it. For details see: https://www.veeam.com/wp-using-aws-vtl-gateway-deployment-guide.html
Veeam Backup Copy Job to on premises or Veeam Cloud Connect (Enterprise). There is no special configuration needed for this use case beside network and firewall connections. For standard Repository usage on premises it is recommended to create a VPN tunnel from VMware Cloud on AWS to the on premises datacenter. This can be done by the VMC integrated VPN functionality, by Veeam PN or Third Party.

Additional Scenarios

VMware Cloud on AWS used as Restore target.
1. Implementation steps 1-4 are needed.
Veeam VM Replication.
1. Implementation steps 1-5 are needed. The Repository Server (when NOT used for Backups, can run within the VMware Cloud on AWS SDDC to store the Veeam Replication data. On premises to VMC, VMC to VMC and VMC to on premises is possible. Usage of Veeam Availability Orchestrator is possible in specific scenarios, see VAO deployment guide: https://helpcenter.veeam.com/docs/vao/deployment/welcome.html?ver=10

More Information

VMware Cloud on AWS specific problems and solutions:

Problem

There is no option to select a network at Veeam “Entire VM” restore to a new VM name wizard when VMware Cloud on AWS is used with VMware NSX-t.

Solution

After restore, go to the VM configuration within the vCenter
Delete the network card and save the configuration
Create a new network card for the VM
Apply the needed Network card settings within the Operating System as usual

Problem

Impossible to add the VMware Cloud on AWS vCenter server to the managed server, VMs within this vCenter are not visible in the list of VMs or an Error is displayed in the Veeam Jobs “Processing SQL Error: File does not exist or locked. …”

Solution

Create a vCenter User with required rights (Active Directory linked mode) described here, or use the cloudadmin@vmc.local user.
When adding a vCenter server, specify the fully qualified domain name (FQDN) that ends with vmwarevmc.com or vmc.vmware.com (depending on the URL shown in the VMC interface for the vCenter).

Problem

When working with Restore or VM Replication wizard, users may face some issues accessing VMware Cloud on AWS vCenter server. By design, VMware does not provide customers access to the background infrastructure and used datastores.

Solution

For proper operation, you can select the specific areas marked as “Workload” or “Compute”. Avoid using the non-accessible areas, for example:

vsanDatastore datastore
Management VMs folder
Mgmt-ResourcePool resource pool

Problem

Backup & Replication stop working after VMware Cloud on AWS was automatically updated to Version 1.3 or newer.

Solution

UPDATE: New VMware Cloud on AWS SDDC 1.3 or newer (including the latest version 1.5) requires updated Veeam Backup & Replication components. Please download Update 3a (or newer) for Veeam Backup & Replication 9.5 here

Problem

Some of the Backup & Replication Features are not working correctly because of limitations of the VMware Cloud on AWS environment (compared with a standard vSphere environment).

Solution

Affected Veeam Feature	Limitation	Workaround
Instant VM Recovery	Currently, VMware Cloud on AWS (VMC) does not allow for NFS usage	Use a combination of a Veeam backup job and replication job for proactive restore capabilities
Other OS File Level Recovery	Currently, VMC does not allow for NFS	Start Linux File-Level Recovery from a backup copy on-premises
Quick Migration	Quick Migration cannot migrate VMs to VMC if they are running	Use Veeam Replication and permanent failover to achieve similar functionality For Free Edition, shut down the VM before migration
SureBackup, Sure Replica, OnDemand Labs, Virtual Lab	Currently, VMC does not allow NFS and network manipulation	As for SureReplica, you can perform it if the replication target is a non-VMC vSphere environment (e.g., replicate VM from VMC to on-premises)
VM Guest Interaction and Windows File Restore by VIX or WebService API	Currently, VMC does not allow usage of VMware Webservice API	If you want to perform Veeam Guest processing or Windows File-Level Recovery, then connect to a VM over the network from Veeam Backup & Replication
VM Replication ReIP	ReIP is not available on VMC
Windows Dynamic disks are not supported	Currently, VMC does not allow to process dynamic disks at Hot-Add (Virtual Appliance mode) backup	VMware will provide a hotfix for this soon
Non-Unicode VM names	Currently, VMC does not allow non-Unicode characters for VM names within their APIs used ad VMC
VM Replication-based File Level Recovery		Use file restore from backups or use a VM replica on a non VMC environment to start the File recovery

↧

Enable SQL Database exclusions from application-aware image processing

January 9, 2019, 7:52 am

≫ Next: Support Partners Case Management

≪ Previous: VMware Cloud on AWS Support. Considerations and Limitations

Challenge

An SQL Database can be excluded from Veeam Application-Aware image processing

Solution

The solution below will instruct you on how to enable and use the DBExclusion menu that is built-in to Veeam Backup & Replication v7 and higher.

1. Close the Veeam Backup & Replication console.
2. Open Regedit.exe
3. Navigate to the key HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
4. Add a new DWORD ‘EnableDBExclusions’
5. Set the Value to 1
User-added image

6. Close the Registry Editor and open Veeam Backup & Replication
7. Open “Database Exclusions” from the Main Menu
User-added image

8. In the window that pops up, click Add.
9. Specify the DNS name (case sensitive) or the IP address and the instance name(case sensitive) that you wish to exclude from VSS Freezing and being Quiesced.
10. Specify the Database name (case sensitive) that you wish to exclude from application-aware image processing.
User-added image

More Information

NOTE: The key works only for Microsoft SQL server databases.

↧

Support Partners Case Management

January 10, 2019, 2:03 am

≫ Next: Procedure to migrate a Cloud Connect tenant to vCloud Director

≪ Previous: Enable SQL Database exclusions from application-aware image processing

Challenge

A new feature on the ProPartner Portal allows all registered users of your organization to submit and manage Veeam support tickets on behalf of your customers. Previously, with Case Administrator feature only certain employees at a partner organization had rights to manage their customers’ support cases. And with this new feature, all registered members of your team now get access to your customer’s cases in only a few clicks.

Please note: to use this functionality you must have an active ProPartner registration.

Solution

Requesting rights to manage cases

To access this new feature you need to be logged into the ProPartner portal.

Find the desired contract and submit a request to manage cases by clicking the Request permission button. Once the request is submitted the button is replaced with Pending approval status, and an e-mail about the new request is sent to the Primary License Administrator of the selected contract.

User-added image

Approval of requests

The Primary License Administrator of the contract will receive an email notification about the new request to manage cases. Additionally, all requests will be visible to any License Administrators and can be Accepted or Declined in their My Account:

User-added image

Any users with the following roles on the contract can approve a request:

Primary license administrator
Secondary license administrator
License administrator

After the request is approved or declined, the user from the partner's account who submitted the request will receive a communication from Veeam about the request status.

Opening a case via the ProPartner Portal

Once the request is approved, ProPartner users will see an Open a Case button on the ProPartner page:
User-added image
Clicking the button will take you to a predefined Open a Case form.
Fill in the remaining required fields, click Next and submit the case as you normally would with any other case.

More Information

For any questions please feel free to reach out to supportmanagement@veeam.com

↧

Procedure to migrate a Cloud Connect tenant to vCloud Director

January 14, 2019, 11:52 pm

≫ Next: Veeam Intelligent Diagnostics: Signatures import

≪ Previous: Support Partners Case Management

Challenge

SPs who have vCloud Director deployed in their infrastructure can expose vCloud Director resources as cloud hosts for tenant VM replicas. This article describes a procedure of migrating existing tenants to vCloud Director.

Solution

On the Tenant side:
1. Delete all Cloud Backup and Replication jobs.
2. Remove the Service Provider from the Tenant's Backup & Replication console.

On the SP side:
3. Unsubscribe the Tenant from all resources.
4. Delete the Tenant.
5. Under Home tab, check if there are any Failover Plans left from this Tenant and delete them.
6. Remove all Tenant's Replicas from configuration (do not delete them from disk!). If present, also remove from configuration Tenant's backups under the Backups -> Disk node.
7. If vCloud Director has not been added yet, delete the managed vCenter first and then add a vCD.
8. Create a vCD organization and an organization vDC.
9. Create necessary networks.
10. Import VMs (previously created Replicas) to the organization.
11. Create a vCD tenant.
12. Create a folder on the repository for the newly created Tenant.
13. Move the Tenant's backups to that folder.
14. Rescan the repository.

On the Tenant side:
15. Add the Service Provider.
16. Create jobs and map backup and replicas. Please see Tenant's actions under referenced KB articles.

On the SP side:
17. After the initial replication job run, ensure that networks are mapped correctly at the vCD side and correct manually if needed.

↧

Veeam Intelligent Diagnostics: Signatures import

January 15, 2019, 1:09 am

≫ Next: Veeam Availability Console U1 Cumulative Patch 1807

≪ Previous: Procedure to migrate a Cloud Connect tenant to vCloud Director

Challenge

Veeam Intelligent Diagnostics process involves signatures - problem definitions that are based on common issues investigated by Veeam Support.

This KB article contains the most recent signatures for manual import in Veeam ONE 9.5 Update 4.

Cause

Manual import is necessary when Veeam ONE server is isolated from the network.

Solution

Importing Signatures

If Veeam ONE Monitor server has no Internet connection, you can manually import the file with the latest version of signatures:

Download the signatures.
Open Veeam ONE Monitor. For details, see Accessing Veeam ONE Monitor.
At the bottom of the inventory pane, click Data Protection View.
In the inventory panel, select the main node.
Open the Veeam ONE Agent tab.
At the top of the page, click Import Signatures.
Specify a path to the .package file with signatures obtained from Veeam Support and click Open.

NOTE: Veeam Intelligent Diagnostics is available for Veeam Backup & Replication version 9.5 Update 3 or later.

More Information

[[DOWNLOAD|DOWNLOAD SIGNATURES|will be updated soon]]

MD5 checksum for KB2869.zip is [will be updated soon].

Should you have any questions, contact Veeam Support.

↧

Veeam Availability Console U1 Cumulative Patch 1807

December 27, 2018, 4:49 am

≫ Next: Veeam Intelligent Diagnostics: Signatures import

≪ Previous: Veeam Intelligent Diagnostics: Signatures import

Challenge

Veeam Availability Console U1 Cumulative Patch 1807

Cause

Please confirm you are running version 2.0.2.1750 or later prior to installing this cumulative patch 1807. You can check this under Windows > Programs and features. After upgrading, your build will be version 2.0.2.1807.

As a result of on-going R&D effort and in response to customer feedback, cumulative patch 1807 includes a set of bug fixes, the most significant of which are listed below:

Server

•   Under certain conditions password in the SMTP server settings is reset.

Monitoring & Alarms

•   Job name flittering is ignored in the job session state alarm.

Reporting & Billing

•   Cloud repository quota usage may report incorrect values when Veeam Agent backups are sent to the cloud repository via backup copy jobs.

ConnectWise Manage Plugin

•   Under certain conditions ConnectWise Manage configurations cannot be created.

Solution

To install the cumulative patch 1807:

1. Back up the VAC database.
2. Log off VAC Web UI.
3. Execute VAC.ApplicationServer.x64_2.0.2.1807.msp as administrator on the VAC server, or run this cmdlet as administrator:

msiexec /update c:\VAC.ApplicationServer.x64_2.0.2.1807.msp /l*v C:\ProgramData\Veeam\Setup\Temp\VACApplicationServerSetup.txt

4. Execute VAC.ConnectorService.x64_1.0.0.254.msp as administrator on the VAC server, or run this cmdlet as administrator:

msiexec /update c:\VAC.ConnectorService.x64_1.0.0.254.msp /l*v C:\ProgramData\Veeam\Setup\Temp\VACConnectorServiceSetup.txt

5. Log in to VAC Web UI.

More Information

[[DOWNLOAD|DOWNLOAD CUMULATIVE PATCH|https://www.veeam.com/download_add_packs/availability-console/kb2667/]]

MD5 checksum for KB2667.zip is b4c3f01b8fce8ec130c73c55245479e5

Should you have any questions, contact Veeam Support.

↧

Veeam Intelligent Diagnostics: Signatures import

January 15, 2019, 1:09 am

≫ Next: Unable to allocate processing resources

≪ Previous: Veeam Availability Console U1 Cumulative Patch 1807

Challenge

Cause

Manual import is necessary when Veeam ONE server is isolated from the network.

Solution

Importing Signatures

If Veeam ONE Monitor server has no Internet connection, you can manually import the file with the latest version of signatures:

Download the signatures.
Open Veeam ONE Monitor. For details, see Accessing Veeam ONE Monitor.
At the bottom of the inventory pane, click Data Protection View.
In the inventory panel, select the main node.
Open the Veeam ONE Agent tab.
At the top of the page, click Import Signatures.
Specify a path to the .package file with signatures obtained from Veeam Support and click Open.

NOTE: Veeam Intelligent Diagnostics is available for Veeam Backup & Replication version 9.5 Update 3 or later.

More Information

[[DOWNLOAD|DOWNLOAD SIGNATURES|will be updated soon]]

MD5 checksum for KB2869.zip is [will be updated soon].

Should you have any questions, contact Veeam Support.

↧

Unable to allocate processing resources

January 15, 2019, 3:14 am

≫ Next: List of Ports Used by Veeam Backup & Replication

≪ Previous: Veeam Intelligent Diagnostics: Signatures import

Challenge

VMware backup fails with the error message “Unable to allocate processing resources. Error: No backup proxy is able to backup this VM. Check processing mode settings on proxies” or "Unable to allocate processing resources due to processing mode restrictions"

Cause

This is generally caused when there are no backup proxies available to process the job. Reasons for this include:

Too many jobs are running at a time for the number of concurrent tasks set across all proxies available to the job that failed.
Proxies may be unavailable (Shutdown, not connected to the network, etc.).
The existing set of backup proxies does not have enough resources to process the backup jobs in a timely manner.
The virtual machine might be being processed by another job
New LUNs created and/or VMs migrated to new LUNs

Solution

Finding the best solution can be different for each environment and backup infrastructure. Choose what fits your situation the best.

Stagger your backup jobs and replication jobs at different time slots so that a job isn’t waiting on available proxies when it starts. (Ex. Instead of scheduling your jobs to all start at 8:00PM, start one job at 8:00, another at 8:30, and another at 9:00.)
Increase the number of concurrent tasks allowed on your proxies. However, keep in mind the system requirements. See How to set max concurrent tasks. If your backup proxy is a virtual machine, you should increase the amount of CPU and RAM available to the proxy.

VERSION 7.X through to VERSION 9.X with default job settings requires 1 CPU core and 200 MB RAM per task that you wish the proxy to run at a time, plus 2 GB RAM for the operating system and Veeam services. Although only 200 MB per task is required, a 2GB per CPU core ratio is recommended for best performance and reliability. (2 Tasks at once = 2 CPU cores and 2.4 GB RAM required, 4GB recommended)
- If using high compression, 2 cores per concurrent task are required.
- Memory usage may be greater than the minimum system requirements. If memory usage on the proxy frequently exceeds 80%, consider increasing the available memory.
- VERSION 7.X through to 9.X runs tasks in parallel, but can run sequentially with the parallel processing option disabled. Processing multiple disks on one VM will reserve multiple concurrent tasks. See Enabling Parallel Processing.
Remember to not under-allocate your Veeam Backup server, especially if it is your backup proxy. If the configuration database is installed on a local SQL instance (the default installation), then SQL Express should be allocated 1 CPU core and 1-1.5 GB RAM when planning your resource usage. A full version of SQL may use significantly more resources in a large environment. 500 MB RAM per concurrent task is recommended for the Veeam Backup services and the SQL server combined; 4 GB minimum.

Deploy additional backup proxies from within “Backup Infrastructure->Backup Proxies”.
- This can be a physical server, an existing VM, or a newly-deployed VM. If adding existing virtual machines, bear in mind that Changed Block tracking will be disabled when backing up these VMs, which can substantially increase processing time.
Make sure that your backup job or replication job is selecting the correct proxies. Choose “Automatic selection” to have Veeam try to choose the best proxy from your available pool of proxy machines, or choose a specific set of proxies. The latter can be useful if you have set up a specific proxy with a large amount of resources to be used on a large backup or replication job.

However, be careful as a backup job set to use a single proxy can fail with the above error if that proxy is unavailable. It might be beneficial to choose more than one if manually specifying proxies.
Also note that automatic proxy selection will detect available transport modes for each proxy, and then wait for a proxy with the best available transport mode. The modes are ranked as follows: Direct SAN (SAN) > Virtual Appliance (HOTADD) > Network (NBD). For example, if you have a virtual machine proxy on each of three hosts, and all of your VMs are on local storage, a job set to automatic will wait for the proxy that has access to the local storage (HOTADD) rather than use an available proxy that can only read the disk over the network (NBD). For more information, see Transport Modes.

Investigate backup job performance. If specific jobs are taking longer to process than normal, check for warnings, compare the bottleneck statistics to previous jobs sessions, and try to isolate the problem to a specific proxy, repository, host, or datastore.
Present newly added LUNs to the Veeam Server

More Information

Similar errors can occur when the number of concurrent tasks exceeds the limit set on a repository. See Repository Settings: Limit maximum concurrent tasks

Best Practices for Deployment & Configuration (VMware)

↧

List of Ports Used by Veeam Backup & Replication

January 15, 2019, 3:14 am

≫ Next: Veeam Agent – Setup ADK/AIK for Recovery Media

≪ Previous: Unable to allocate processing resources

Challenge

You would like to know the ports used for Veeam Backup & Replication and what they apply to.

Solution

↧

Veeam Agent – Setup ADK/AIK for Recovery Media

January 15, 2019, 4:03 am

≫ Next: What does question mark in Veeam Explorer for SQL mean?

≪ Previous: List of Ports Used by Veeam Backup & Replication

Challenge

Veeam Recovery Media Creation process is failing. The error will typically be:

Windows recovery image file not found:
User-added image

Cause

Veeam Recovery Environment is built off the Windows Recovery Environment, and the Recovery Environment is made from the Windows Preinstallation Environment.
If a system is missing the Windows PE/RE components, Veeam Recovery Media will fail to create.

Solution

To resolve this issue, we will need to Install the Windows Assessment and Deployment Kit *ADK* (Windows 8 and later), also known as Windows Automated Installation Kit *AIK* for Windows 7. The Server OS versions will use the same Kits as their matching Desktop OS. In this article, we will cover the installation for Windows 10 and Windows 7, as AIK and ADK have different installation steps.

For the first step, you will want to download the appropriate Kit from this link.

For Windows 10 1809 and later: Download the WinPE add-on for the ADK which is available here - https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install

Windows 10 - ADK

1. Start the installation from the downloaded file

User-added image

2. Specify Location. You do not need to change the default path. Click on Next:
User-added image

3. Select if you want to join the Microsoft CEIP and Click Next:
User-added image

4. Accept the License Agreement
User-added image

5. Proceed the installation process
User-added image

6. Once the install is completed, click Close
User-added image

7. Proceed to “Setting Registry Values”

Windows 7 - AIK

For Windows 7 (and Server 2008 R2), Microsoft had the Windows AIK, instead of the ADK.
The installation for the AIK is different, and we will be walking through these differences in this section.

1. AIK is provided as an ISO. To begin the install you will need to first mount the ISO file.
2. Once the ISO is mounted, you will be able to start the installer
User-added image

3. You will need to select the “Windows AIK Setup” option to start the install
User-added image

4. Click Next on the Welcome screen for the install
User-added image

5. Accept the License Agreement and click Next
User-added image

6. Specify Location. You do not need to change the default path. Click on Next:
User-added image

7. Click Next to confirm the Install.
User-added image

8. Click "Close" to finish the install
User-added image

9. Proceed to “Setting Registry Values”

Setting Registry Values

ForceUseAdkForRecoveryMedia

This key Forces Veeam to only use the ADK(or AIK) component.
It is the same key name for both kits.
1. Open Regedit
2. Browse to “HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Endpoint Backup”
3. Create a new Registry key with these details:

Name: ForceUseAdkForRecoveryMedia
Type: REG_DWORD
Value: 1

4. Restart the “Veeam Agent for Microsoft Windows” service

DismPath

This key is used to specify the path toward the DISM tool, which is used to mount the Windows image for setup. This key will only need to be used if the default location for the dism.exe is changed.
The default location is typically: C:\Windows\System32

The dism.exe tool is included within the installation folder path of ADK(AIK), and there will be separate dism.exe(s) for various CPU Architectures. You will want to use Windows Explorer to locate the appropriate dism.exe for your CPU Architecture.

For example, on a 64-bit Windows 10 Install, the dism.exe will be located under:
C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\Dism.exe

To add this key, you will need to perform these steps:
1. Open Regedit
2. Browse to “HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Endpoint Backup”
3. Create a new Registry key with these details:

Name: DismPath
Type: String
Value: Full path to your EXE, including the dism.exe

EXAMPLE: C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\Dism.exe

4. Restart the “Veeam Agent for Microsoft Windows” service

More Information

Starting with Windows 10, version 1809, WinPE is an add-on to the Windows Assessment and Deployment Kit (ADK).

↧

What does question mark in Veeam Explorer for SQL mean?

December 28, 2018, 9:00 am

≫ Next: Tenant's Remote Management status is Unknown

≪ Previous: Veeam Agent – Setup ADK/AIK for Recovery Media

Challenge

In Veeam Explorer for SQL some of the databases listed have a question mark.

Cause

Question mark indicates lack of metadata for a database which may cause restore to be not fully functioning. Moreover restore points for such databases are not shown in the Enterprise Manager.
Most probable reasons are:
-   Due to lack of permissions metadata was not properly collected. Point-in-time restore will not be available.
-   Database was excluded from application-aware image processing. Such a database is in crash-consistent state.
-   Application-aware image processing was disabled for the whole virtual machine. Databases are in crash consistent state.
-   Database files are located on the disks excluded in job settings. Restore for such a database will not work.

Solution

If fully functioning restore is essential, resolve the underlying issue. Note that new run of image-level backup is required, although restore from existing backup still will be partly unavailable.

↧

Tenant's Remote Management status is Unknown

January 17, 2019, 2:11 am

≫ Next: Veeam Backup Enterprise Manager RESTful APIs Upgrade Instructions

≪ Previous: What does question mark in Veeam Explorer for SQL mean?

Challenge

After installing Update 4 for Veeam Backup & Replication 9.4, a Cloud Connect tenant's Remote Management status is shown as Unknown.

Cause

This is a minor UI issue in Update 4 that doesn't have any impact on Product functionality, Remote Management should work as usual.

Solution

The issue will be fixed in the next Veeam Update.
The hotfix requires patching both SP and Tenant installations to support consoles compatibility. Please contact our Support team if there is a need for the fix.

↧

Veeam Backup Enterprise Manager RESTful APIs Upgrade Instructions

January 17, 2019, 9:01 am

≫ Next: Creating a VMware ESXi extension (VIB) for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing

≪ Previous: Tenant's Remote Management status is Unknown

Challenge

Veeam Backup & Replication 9.5 Update 4 RTM is not compatible with the previous versions of API. Some integration may not work as expected.

Cause

Update 4 has introduced new Product functionality that requires extended API and incremented the required request version to v1_4.

Solution

The compatibility issue will be remediated in Update 4 GA.
Hotfix is available for Veeam 9.5 Update 4 RTM, please contact Veeam Support for assistance.

Alternatively, you can switch to version v1_4 with the considerations below.

The following Cloud Connect functionality requires changing request's version from v1_3 to v1_4:

Create, Edit tenants

The following may require changing request's content:

Tenant edit. GET request now returns a new tenant type block. Adding this block to PUT requests should allow functionality to work as intended:
<TenantType>
<StandaloneTenant>
<TenantCredentials>
<Username>TENANT_NAME</Username>
</TenantCredentials>
</StandaloneTenant>
</TenantType>

The element is described in the new XSD as follows:
<xs:element name="TenantType" type="CloudTenantType" minOccurs="0" maxOccurs="1"/>
Task status. Complex tasks such as create/edit/delete tenant have got a new status OperationFinished which should be properly enumerated.

↧

Creating a VMware ESXi extension (VIB) for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing

January 17, 2019, 12:45 pm

≫ Next: Cloud Connect replication fails with "The following hosts are incompatible with the target host"

≪ Previous: Veeam Backup Enterprise Manager RESTful APIs Upgrade Instructions

Challenge

This article contains instructions on how to create a VMware ESXi extension (VIB) for Veeams Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing.

To achieve the optimal balancing within the Cisco HyperFlex data network at Backup from Storage Snapshot processing over NFS, it is needed to change the ESXi host firewalls. See more background information here.

One of the Methods to change the ESXi host firewall is by a newly created VIB file that can be created with help of the VMware VIB Author Software.
Please follow the next steps to create the VIB.

IMPORTANT: With Cisco HyperFlex 3.0 the needed Firewall changes have been implemented in the OS image. Please follow the KB below only if you are running a HyperFlex version below 3.0. For new customers, we recommend to install the HyperFlex cluster with HX 3.0 and for existing customers we recommend to upgrade to HX 3.0 to benefit from the new Firewall changes.

Solution

Create a VIB in SLES11

SLES11 can be downloaded here.
VMware VIB Author can be downloaded here.
All steps are performed as the root user from the root (/) directory.

1. Prepare SLES

zypper install python-lxml
zypper install python-urlgrabber

2. Install VIB Author

cd /tmp
rpm -ivh vmware-esx-vib-author-5.0.0-0.0.847598.i386.rpm
cd /

3. Create File Directory

mkdir stage
mkdir stage/payloads
mkdir stage/payloads/payload1
mkdir stage/payloads/payload1/etc
mkdir stage/payloads/payload1/etc/vmware
mkdir stage/payloads/payload1/etc/vmware/firewall

4. Copy the required files to the folder tree
The "descriptor.xml" (link here) must be copied to /stage

descriptor.xml sample:
<vib version="5.0">

<type>bootbank</type>
<name>VeeamCiscoHXFirewall</name>
<version>1.0.0-0.0.1</version>

<vendor>Veeam</vendor>
<summary>Veeam Firewall rule for Cisco HyperFlex</summary>
<description>Adds inbound ports required by Veeam</description>

<relationships>
<depends></depends>
<conflicts/>
<replaces/>
<provides/>
<compatibleWith/>
</relationships>
<software-tags>
</software-tags>
<system-requires>
<maintenance-mode>false</maintenance-mode>
</system-requires>
<file-list>
<file></file>
</file-list>
<acceptance-level>community</acceptance-level>
<live-install-allowed>true</live-install-allowed>
<live-remove-allowed>true</live-remove-allowed>
<cimom-restart>false</cimom-restart>
<stateless-ready>true</stateless-ready>
<overlay>false</overlay>
<payloads>
<payload name="payload1" type="vgz"></payload>
</payloads>

</vib>

The “VeeamCiscoHXFirewall.xml” <download link> must be copied to /stage/payloads/payload1/etc/vmware/firewall

The VeeamCiscoHXFirewall.xml for Cisco HX version < 2.5:
<ConfigRoot>
<service id='9230'>
    <id>VeeamCiscoHXFirewall</id>
    <rule id='0000'>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>
        <begin>0</begin>
        <end>65535</end>
      </port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
</service>
</ConfigRoot>

The VeeamCiscoHXFirewall.xml for Cisco HX version >= 2.5:
<ConfigRoot>
       <service id='9230'>
              <id>VeeamCiscoHXFirewall</id>
              <rule id='0000'>
              <direction>inbound</direction>
              <protocol>tcp</protocol>
              <porttype>dst</porttype>
              <port>111</port>
              </rule>
              <rule id='0001'>
              <direction>inbound</direction>
              <protocol>tcp</protocol>
              <porttype>dst</porttype>
              <port>2049</port>
              </rule>
              <rule id='0002'>
              <direction>inbound</direction>
              <protocol>tcp</protocol>
              <porttype>dst</porttype>
              <port>2449</port>
              </rule>
       <enabled>true</enabled>
       <required>false</required>
       </service>
</ConfigRoot>

5. Create the VIB using vibauthor:

vibauthor -C -t stage -v VeeamCiscoHXFirewall -f

6. Creation finished, ready for download
The VIB is now created and available in the root (/) directory. You can use the SCP client to download the VIB to your local operating system.

7. Install on ESXi

Install the Firewall VIB on ESXi:

Repeat the following steps on all Cisco HyperFlex nodes in your cluster.

a. Enable ssh and log in to your ESXi host using a ssh tool like PuTTY
User-added image

b. Copy the VIB file to the ESXi host's tmp folder using HTTP or a SCP client
User-added image

c. Install the VIB
Command:

esxcli software vib install -v /tmp/VeeamCiscoHXFirewall.vib -f

User-added image

d. Verify that the VIB was installed
Command:

esxcli software vib list | grep 'Veeam'

e. Verify that the new firewall rule is active
Command:

esxcli network firewall ruleset list

Note: If the VIB installation fails, you may need to set the acceptance level to CommunitySupport and retry the installation.
Command:

esxcli software acceptance set --level=CommunitySupported

Set the Veeam Proxy Servers

1. Enable allowed IP list for the new firewall rule
Command:

esxcli network firewall ruleset set -r "VeeamCiscoHXFirewall" -a false

2. Set the Veeam proxy server data network IP that is on the Hyperflex "Storage Controller Data Network"
Repeat the following command for each Veeam proxy server:

esxcli network firewall ruleset allowedip add -r "VeeamCiscoHXFirewall" -i "172.16.3.10"

3. Verify that the IPs are set
Command:

esxcli network firewall ruleset allowedip list | grep -v "All"

Note: Veeam recommends to set the IPs of each Veeam proxy server that is on the HyperFlex “Storage Controller Data Network” in the firewall rule. Otherwise the firewall rule is enabled for all incoming connections. Issue this command once per IP Address. It is important to use the IP Address on the “Storage Controller Data Network”, and not the public, or management IP address.

Check if everything is configured correctly

1. Check the Security Profile on the ESXi hosts
User-added image

2. Check the VIB

esxcli software vib list | grep 'Veeam'

3. Check the ruleset

esxcli network firewall ruleset list

4. Check which Veeam Proxy IPs are assigned

esxcli network firewall ruleset allowedip list | grep -v "All"

More Information

With HyperFlex 3.0 you may need to enable NFS access on all hosts.
To do this, navigate to: vSphere Web Client > Host Config > Security Profile > Edit > NFS access and Enable this setting.

↧

Cloud Connect replication fails with "The following hosts are incompatible with the target host"

January 18, 2019, 5:02 am

≫ Next: Using a CA-signed server certificate in the Veeam Agent management infrastructure

≪ Previous: Creating a VMware ESXi extension (VIB) for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing

Challenge

An attempt to start or create a Cloud Connect replication job fails with the error message: ”The following hosts are incompatible with the target host”.

Cause

The following scenarios are known to cause the issue:

Tenant’s Veeam installation had been updated to the latest version (9.5 Update 4) before the SP's installation.
SP's Cloud Connect server was unavailable during the upgrade.

Solution

On the Tenant's side, navigate to Backup Infrastructure -> Service Providers, open SP's properties and click through the settings finishing the wizard.

↧

Using a CA-signed server certificate in the Veeam Agent management infrastructure

January 18, 2019, 8:13 am

≫ Next: HCL - EMC Unity

≪ Previous: Cloud Connect replication fails with "The following hosts are incompatible with the target host"

Challenge

To allow communications between Veeam Agents and VBR, TLS certificates are used. By default, Veeam Backup & Replication uses a self-signed certificate.

User-added image

Solution

Please refer to the following User Guide page for further instructions: Using Certificate Signed by Internal CA

↧

HCL - EMC Unity

January 18, 2019, 10:15 am

≫ Next: HCL - EMC VNX/e

≪ Previous: Using a CA-signed server certificate in the Veeam Agent management infrastructure

Challenge

Product Information:

Company name: Dell/EMC
Product Family: Unity
Status: Veeam Ready - Integrated
Classification Description: Integrated storage where joint development activities between the manufacturer and Veeam have occurred to create advanced backup or restore functionalities.

Solution

Product Details:

Firmware version: 4.1
Additional support: Any EMC Unity configuration with supported firmware.

General product family overview:

EMC Unity sets the new standards for midrange storage with a powerful combination of simplicity, modern design, affordable price point, and deployment flexibility –perfect for resource-constrained IT professionals in large or small companies. Unity is perfect for midsized deployments, Remote Office/Branch Office locations, and cost-sensitive mixed workload environments. It is designed for all-flash, delivers the best value, and is available in purpose-built (all flash or hybrid), converged deployment (through VCE), and as a software -defined virtual edition. With all-inclusive software, new differentiated features, internet-enabled management, and a modern design, Unity is where powerful meets simplicity.

Veeam testing configuration:

Veeam Build Number: 9.5.0.823

↧

HCL - EMC VNX/e

January 18, 2019, 10:18 am

≫ Next: HCL - Huawei OceanStor Dorado V3

≪ Previous: HCL - EMC Unity

Challenge

Product Information:

Company name: DELL EMC
Product Family: VNX/e
Status: Veeam Ready - Integrated
Classification Description: Integrated storage where joint development activities between the manufacturer and Veeam have occurred to create advanced backup or restore functionalities.

Solution

Product Details:

Firmware version:

VNX Operating Environment for block 05.33.008.5.119
VNX Operating Environment for File 8.1.8.121
EMC Unisphere 1.3.8.1.0119

Additional support: Any Dell EMC VNX/e configuration with supported firmware

General product family overview:

The VNX family delivers industry-leading innovation and enterprise capabilities for file and block storage in a scalable, easy-to-use unified storage solution. VNX storage combines powerful and flexible hardware with advanced efficiency, management, and protection software to meet the affordability, efficiency and performance needs of today’s enterprises. All of this is available in a choice of systems ranging from affordable entry-level solutions to high-performance, petabyte-capacity configurations servicing the most demanding mixed workload requirements.

Veeam testing configuration:

Veeam Build Number: 9.5.0.823

↧