"Established connection failed because connected host has failed to respond <vbr_ip>:10005"
Challenge
A Windows Agent Backup or Windows Agent Policy type job within Veeam Backup & Replication fails with either of the following errors.
A Veeam Agent Backup operating in Managed by backup server fails with the error:
Error: Managed session has failed: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond <vbr_ip>:10005
A Veeam Agent Policy fails to deploy with the following error:
Failed to send backup job configuration to <machine> Error: Failed to update backup job Managed by agent job ID: <job_id_guid>. Managed by agent job name: <job_name>. Invalid job configuration. Connection problems. Exception has been thrown by the target of an invocation. Failed to establish connection: no valid IP addresses were found. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond <vbr_ip>:10005
This article is regarding Veeam Agent for Microsoft Windows deployments that are managed by Veeam Backup & Replication and use the port 10005. Other nearby ports are used for similar purposes:
- 10001 — Port used by Standalone Veeam Agent for Microsoft Windows Deployments to communicate with Veeam Backup & Replication.
- 10002 — Legacy port used by older versions of Veeam Agent for Linux to communicate with Veeam Backup & Replication.
- 10003 — Port used for Veeam Cloud Connect communication from Backup Server to Backup Server.
- 10004 — Unused
- 10005 — Port used by Managed Deployments of Veeam Agent for Microsoft Windows to communicate with Veeam Backup & Replication.
- 10006 — Port used by Veeam Agent for Linux and Veeam Agent for Mac to communicate with the Veeam Backup Server.
While firewalls blocking port communication remains the most common cause of support cases, Veeam Support has seen a marked increase in the number of cases caused by the Cloud Agent of Qualys vulnerability scanner, as it shares many of the same default ports:
"During an unauthenticated scan using the Qualys scanner, the Cloud Agent will return its Correlation ID to [the] scanner over one of the Agent Scan Merge ports (10001, 10002, 10003, 10004, 10005)."
The ports used by the Agent Scan Merge can be customized: Agent Correlation Identifier.
Cause
These errors occur when the Windows machine where Veeam Agent for Microsoft Windows is installed cannot reach the Veeam Backup Service on the Veeam Backup Server over port 10005.
This may occur if:
- The machine where Veeam Agent for Microsoft Windows is deployed cannot resolve the hostname or FQDN of the Veeam Backup Server.
- The Veeam Backup Service could not assign itself port 10005 when it started because another application already used that port.
- A firewall in the environment is blocking traffic between the machine where Veeam Agent for Microsoft Windows is installed and the Veeam Backup Server.
- Firewall on the Veeam Backup Server
- Firewall on the Windows machine itself.
- Firewall in the network (if the traffic is crossing them).
Solution
A complete guide on how to test port connectivity can be found on KB4444.
Troubleshooting Checklist
- Ensure that the Veeam Backup Service on the Veeam Backup Server is associated with port 1005.
- Ensure that the Windows machine being backed up can correctly resolve the the hostname and FQDN of the Veeam Backup Server.
- Ensure that the Windows machine being backed up can reach port 10005 on the Veeam Backup Server.
More Information
Customize Port Used To Recieve Communication
If you are facing a situation where another product is using port 10005, and that software cannot be adjusted to use a different port, Veeam Backup & Replication can be configured to listen on a different port for communication from managed Veeam Agent for Microsoft Windows deployments.
Considerations and Limitations
Changing the port that managed Veeam Agent for Microsoft Windows deployments use to communicate with Veeam Backup & Replication will cause them to lose contact with Veeam Backup & Replication until their configuration is updated to make them aware of the port change.
- For machines not in a Computer with pre-install backup agents type Protection Group, when Veeam Backup & Replication connects out to the Veeam Agent for Microsoft Windows deployment (job start or protection group rescan), it will update that deployment with the new inbound communication port.
- For machines in a Computer with pre-install backup agents type Protection Group, each machine must be manually reconfigured to communicate with Veeam Backup & Replication over the new port. This is because machines in that type of Protection Group cannot have a configuration pushed out to them; they receive their configuration instead by periodically contacting the Veeam Backup & Replication server to see if their job settings have changed. Therefore, changing the inbound communication port causes them to no longer be able to reach the Veeam Backup & Replication software. To update the machine in this type of protection group:
Update configuration using the Configurator — Generate a new pre-configured deployment package, copy the <protection_group_name>.xml configuration file to the Windows machine, then use the following command to update the configuration:"C:\Program Files\Veeam\Endpoint Backup\Veeam.Agent.Configurator.exe" -setVBRsettings /p:"<protection_group_name>.xml"
Registry Value
Create the following registry value on the Veeam Backup Server.
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: EndPointServerSslPort
Value Type: DWORD (32-Bit) Value
Value Data(Dec): 10005 (Default)
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.