VM backups fail with error code VMWARE_VDDK1
This article applies to:
- OS: WS 2008 R2, WS 2012/R2, WS 2016
- Product edition: Phoenix
Problem description
VM backups fail with error SyncError: You do not have access rights to one or more vmdk files of the VM. (#100050001:13).
Cause
Port 902 is blocked on the ESXi which is registered under vCenter. Port 902 must be open for backup proxy to communicate with the ESXi. Backup proxy communicates with vCenter over port 443 and it communicates with ESXi host on Port 902.
Traceback
Phoenix logs:
{snippet}
[2019-02-27 17:05:45,908] [ERROR] Failed to open the Disk [ABC-XXX] ABC/ABC-XXX01.vmdk
[2019-02-27 17:05:45,908] [ERROR] Error <class 'inSyncLib.inSyncError.SyncError'>:You do not have access rights to one or more vmdk files of the VM. (#100050001 : 13) (Error Code : VMWARE_VDDK1). Traceback -Traceback (most recent call last):
File "agents/vmware/dataManager.py", line 257, in _open_retry
File "agents/vmware/vixDiskLibOCManager.py", line 69, in open
File "agents/vmware/vixDiskLibOCManager.py", line 91, in enqueue_work_wait
SyncError: You do not have access rights to one or more vmdk files of the VM. (#100050001 : 13) (Error Code : VMWARE_VDDK1
VDDK logs:
{Snippet}
019-02-28T00:19:15.834-05:00| vthread-5| I125: NBD_ClientOpen: Couldn't connect to 192.168.0.17:902 Failed to connect to server 192.168.0.17:902
2019-02-28T00:19:15.834-05:00| vthread-5| I125: DISKLIB-DSCPTR: : "vpxa-nfcssl://[ABC-XXX] ABC/ABC-XXX01.vmdk@192.168.0.17:902" : Failed to open NBD extent.
2019-02-28T00:19:15.839-05:00| vthread-5| I125: NBD_ClientOpen: attempting to create connection to vpxa-nfc://[ABC-XXX] ABC-XXX01/XXX0101.vmdk@192.168.0.17:902
Resolution
- Try to telnet/nc from backup proxy to ESXi on port 902. Check if port 902 is blocked on the ESXi as backup proxy is not able to communicate with ESXi. For successful communication, open the port 902 on ESXi host.
-
If telnet is successful but still backups are failing. Please ensure that Backup Proxy and the ESXi host are in the same network subnet.
For example-
If ESXi host has 3 segments, but DNS registered segment is 10.77.4.x/24.
On vCenter, Select the host->Configure->Networking->VMkernel adapters
10.77.4.x/24 (DNS registered)
10.77.10.x/24
10.77.60.x/24Backup Proxy's IP address is 10.77.10.xx
In this case, backups will fail. Please verify the following for successful connection:
Ensure that IP address of the ESXi host which is configured for backup proxy is DNS registered.
Confirm that DNS is configured correctly in the proxy configuration. Reconfigure to correct the entries if needed.
Temporary workaround-
In "/etc/hosts" of Backup Proxy, you can add "10.77.10.X" as the ESXi host's IP address, which belongs to the same segment as the Backup Proxy.Note: We do not encourage making changes in the host file as this can cause discrepancies while making network configuration changes in the future.
Verification
Initiate a manual backup and verify whether it completes successfully.