Problem

When backing up a Windows 2008 R2 server with the firewall enabled the backup job fails (sometime intermittently). You may see errors such as the below in the logs.

error: Freezing guest operating system Unfreeze error (over VIX): [Backup job failed.]

VSSControl: IsSnaphotInProgress failed. Transaction logs will not be truncated.

RPC function call failed. Function name [IsSnapshotInProgress]. Target Machine: yourserver

RPC error: The RPC server is unavailable. Code: 1722

Explanation

This is due to RPC using dynamic port allocation and the Windows firewall not being able to allow this. The fix can be found in this article and is summarised below

http://support.microsoft.com/kb/154596

To verify this is the case you can try running a backup with the windows firewall switch off and UAC disabled.

Fix Step 1 Create the below registry key to restrict the ports used by RPC.

There are two ways of doing this

Option 1: Manually create registry keys:-

1. Create the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet

2. Create a new REG_MULTI_SZ value HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\Ports

Enter the range of ports to use (you can use multiple lines for multiple ranges),

5000-5100

3. Create a new REG_SZ value HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\PortsInternetAvailable = “Y”

4. Create a new REG_SZ value HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\UseInternetPorts = “Y”

Option 2: Import .reg file:-

Alternatively create a text file with a .reg extension (e.g. RPC_internet_ports.reg) and paste the below into it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
"Ports"=hex(7):35,00,30,00,30,00,30,00,2d,00,35,00,31,00,30,00,30,00,00,00,00,\
  00
"PortsInternetAvailable"="Y"
"UseInternetPorts"="Y"

You can then double click this file to import the info into the registry.

Please manually check that the registry keys have been created.

Fix Step 2 Allow ports through the firewall

 

Go to the control panel windows firewall advanced settings. Create a new inbound rule and specify the port range set in step 1.

Set it to “allow secure connections” and

Allow the VEEAM service account (i.e. the user account that the veeam backup server uses)

Specify the VEEAM backup server

Apply to all networks (home, work, public).

Click finish. You will now need to reboot the server before the next backup.

Post to Twitter