#1 Global Leader in Data Protection & Ransomware Recovery

Troubleshooting Certificate and Connection Errors in Cloud Connect

KB ID: 2323
Product: Veeam Cloud Connect | 9.0 | 9.5 | 10 | 11 | 12
Published: 2017-07-26
Last Modified: 2023-09-28
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Challenge

When adding a Service Provider on the tenant's Veeam Backup & Replication, either of the the following errors occur:

Certificate validation failed. Unable to connect to the service provider.
Certificate validation failed. Authentication failed because the remote party has closed the transport stream.

Solution

Veeam Support engineers are only able to assist with the isolation of certificate problems. Veeam Support is unable to assist in generating, altering, importing, exporting, or installing SSL certificates.
Please refer to your SSL certificate provider for more information on certificate processes.
When the tenant is engaged in Veeam Agent management, review the additional considerations: Veeam Agent Management > Backup to Veeam Cloud Connect Repository.

Common Causes and Solutions

  • The connection to the Service Provider Gateway(s) cannot be established using the default port TCP 6180.
    • Ensure that the TCP/UDP port 6180 is permitted for outbound traffic from the tenant environment (applicable only for stateful firewalls). If the firewall is stateless, a static rule needs to be added for the return traffic. 
    • Similar firewall exceptions for TCP/UDP 6180 should be applied in the provider's firewall for traffic destined for each Cloud Connect Gateway. 
    • Additionally, note that tenant proxies or repositories will connect directly to the Cloud Connect Gateways during job runs.
  • The certificate has expired and needs to be renewed.
  • The certificate was incorrectly keyed during the CSR process and needs to be re-keyed, or the private key is missing entirely.
    • Ensure that the certificate, along with the private key, is installed on the Service Provider Cloud Connect server. It does not need to be installed on the Cloud Connect Gateways if they are separate servers. The issued certificate, along with the private key, will be a file with a .pfx extension.
    • If your SSL certificate provider asks you to generate the PFX file using a private key that you have generated, as opposed to one they provide, it will be considered a security risk and will not be a supported configuration.
  • The certificate chain has not been fully installed on the Service Provider's Cloud Connect server, and as a result, the chain of trust cannot be established. The connection to the Service Provider's Cloud Connect server will not be authenticated unless the Tenant's Veeam server can validate a certificate that ends with a Root CA certificate.
    • Ensure that the certificate chain, which includes both subordinate (intermediate) and root CA certificates, is installed on the Service Provider's Cloud Connect server. Typically, the SSL certificate provider includes the chain in a separate file with a .p7b extension.
  • The Cloud Connect Gateways cannot resolve the Cloud Connect Server using DNS, or the Cloud Connect Gateways are unable to communicate internally or through the DMZ to the Cloud Connect Server.
    • Ensure that all Cloud Connect Gateways can resolve the DNS for the Cloud Connect Server. Disable any unused gateways.
  • In some instances, a firewall may employ a form of adaptive security that filters SSL/TLS traffic. This is often referred to as "Deep Packet Inspection" (DPI), packet inspection, or SSL/TLS inspection. The use of these features can create a Man-in-the-Middle scenario involving the firewall, which may lead to issues when the certificate is exchanged with the Tenant Veeam Server.

More Information

 

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.