A Veeam Cloud Service Provider observes that their tenant's jobs intermittently fail with either of the following errors:
Error Cloud gate has rejected connection. Reason: Connection target is not recognized. No rule exists.. (System.Exception)
Error Connection target is not recognized. No rule exists. (Veeam.Backup.Common.CCloudGateNoRuleException)
This issue can occur seemingly at random, with no pattern of which jobs, tasks, or tenants are affected.
Causes & Solutions
Scenario 1: External Load Balancer or DNS Round-Robin
An external load balancer or DNS Round-Robin has been configured between the tenant's environment and the Cloud Connect Provider's Cloud Gateways, which causes traffic to be sent to a Cloud Gateway other than the one assigned to the tenant's task.
As each task begins on the tenant's side of the connection, the Cloud Connect server creates a dedicated traffic forwarding rule for the backup traffic. This traffic rule is based on Veeam Cloud Connects internal load-balancer selecting the Cloud Gateway server with the least amount of tasks already assigned. Once the traffic rule is created, that tenant's backup activity is expected to use the designated Cloud Gateway and is not allowed to use any gateways where this rule does not exist.
An external load balancer or DNS Round-Robin breaks this logic and may cause tenant traffic bound to a specific forwarding rule to be sent to a different Cloud Gateway, resulting in the error mentioned above.
Here is an example of how that incorrect configuration will appear within the view in the Veeam Cloud Connect Console:
Veeam Log Examples
Log from tenant side %programdata%\Veeam\backup\BackupJob\Job.*.log
Info [CloudGateSvc] Checking gates availability for provider 'vcc.cloudprovider.com', gates to check are: [IP: vcc.cloudprovider.com , port:6180],[IP: vcc.cloudprovider.com , port:6180]
Logging in Service Provide environment %programdata%\Veeam\backup\CloudConnectService\Tenant\Auxiliary_session\Session.log
Info [CloudForwarding] Found following gates for tenant: Tenant, preferred gates: [IP: vcc.cloudprovider.com , port:6180];[IP: vcc.cloudprovider.com , port:6180], failover gates:
To prevent the issue, Veeam Cloud Service Providers should avoid external load balancing for Cloud Gateway traffic.
Here is an example of a correctly configured set of Cloud Gateway servers, each with a distinct DNS and IP address.
Scenario 2: Cloud Gateways Have Duplicate BIOS UUIDs
Managed Servers are tracked by Veeam Backup & Replication using their unique BIOS UUID. The BIOS UUID is a globally unique identification number tied to the hardware, physical or virtual. Having identical BIOS UUID for several machines in the same environment is abnormal and can affect both Veeam and other applications in unexpected ways. In virtual environments, this situation can happen if virtual machines were deployed from the same template or were cloned in some other way.
To check the BIOS UUID of a Cloud Gateway, run the following command in an Administrative PowerShell window:
Each Cloud Gateway server should have a unique BIOS UUID. To change the BIOS UUID for the affected machines, follow guidelines from the virtualization environment vendor.
For physical servers with duplicate UUID issues, please contact the hardware vendor.
If a Cloud Gateway's BIOS UUID was changed, do the following to update the Veeam Cloud Connect database:
Reboot the Cloud Gateway server
Within the Veeam Cloud Connect Console, navigate to Backup infrastructure -> Managed Windows Servers
Right-click on the Server's entry, select Properties
Click Next, Next, Apply, Next, and Finish through the Edit Windows Server wizard's pages.
If the gateway configuration is correct, and the error "Connection target is not recognized. No rule exists." continues to occur, please collect logs and open a support case.
Cloud Gateway Configuration example from VCC Best Practice Resource: Load Balancers
Please keep in mind that Veeam has its own HA logic and keeps the names of all available Cloud Gateway Servers obtained from SP during a previous rescan or job run. This allows the tenant VBR server to automatically failover to the next gateway if some gateways are offline.
To submit feedback regarding this article, please click this link: Send Article Feedback To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Spelling error in text
Your feedback has been received and will be reviewed.