SIRIS, ALTO, and NAS: Error: Backup failed due to a problem establishing secure communications with the agent



When you try to start a backup for a system protected by the ShadowSnap agent, you receive the error message, "Backup failed due to a problem establishing secure communications with the agent."

In legacy versions of the Datto IRIS environment, this error message was "Backup failed as job (401: Unauthorized ) was unable to be assigned."


  • ShadowSnap Agent


  • The ShadowProtect, StorageCraft ShadowCopy Provider, or StorageCraft Raw Agent service may not be running on the protected system.
  • The creation of the ShadowSnap key file may have been interrupted during the pairing between the ShadowSnap Agent and the Datto appliance.
  • A proxy server or network security element may be interrupting communication between the ShadowSnap Agent and the Datto Appliance and blocking or filtering ports 25566, 445 and 139.
  • The server's local DNS is unable to resolve
  • The license may be expired if you have uninstalled and reinstalled ShadowProtect.
  • Agent certificates have expired and have not automatically renewed as they should.
  • You have not selected and volumes on the protected machine for backup.
  • You are backing up the same system on more than one Datto Device.


Check Agent Services

Check that all three services are present on the protected machine via services.msc:

  • StorageCraft Raw Agent
  • StorageCraft Shadow Copy Provider
  • ShadowProtect Service

Stop the StorageCraft ImageReady service. Then, right-click the service and go to Properties. Change the Startup Type to Manual.

Open task manager, and end the processes of any instances of the following services:

  • raw_agent_svc.exe
  • ShadowProtect.exe
  • ShadowProtectSvc.exe
  • vsnapvss.exe

Restart the services through the services.msc console.

Check Network Settings

Ensure that all Local/Edge hardware or software has the proper exceptions configured. Depending on the software/hardware, you will need the following information:

  • Website:
  • IP address:
  • Local Service: ShadowProtectSvc.exe

To view the proxy settings use the following commands from a CMD prompt:

  • Proxycfg.exe: Proxycfg.exe
  • Netsh.exe: Netsh winhttp show proxy (with Vista / Server 2008 or newer)

Reset the proxy to "Direct," which will delete any entries listed.

  • Proxycfg.exe: Proxycfg.exe –d
  • Netsh.exe: Netsh winhttp reset proxy (with Vista / Server 2008 or newer)

Check the Windows Firewall or any Antivirus to make sure exceptions exist for the ShadowSnap application to access ports TCP 25566, TCP / UDP 445, and TCP / UDP 139.

Check the License Status

Open the StorageCraft ShadowProtect program and check the license status:

Figure 1: An active license

The license should read as Active.

  • If the license shows expired, follow the steps in the Repair Agent Communications section of this article to re-pair the agent with your Datto appliance. The ShadowProtect software will automatically attempt to reprovision its license during this process.
  • If it is disconnected, retry the steps for restarting the services for ShadowProtect and ShadowSnap. Ensure that the ShadowProtect software is 5.0.x.

Check for Job Already in Progress

The agent may think a backup job is already running. To resolve this, rename the database where the job state is residing:

  1. Open services.msc, and stop the StorageCraft Raw Agent service.
  2. Navigate to C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap.
  3. Find the endptconfig.sqlite3 file and append .old to the end of the filename.
  4. Restart the StorageCraft Raw Agent service.
  5. Repair agent communications on the device, and attempt another backup job.

Verify Agent Settings

The following troubleshooting steps involve modifying the agent settings on the Datto appliance. To navigate to an agent's settings:

1. Access the Datto appliance's GUI
2. Click the Protect tab.

Figure 2: The Protect tab (click to enlarge)

3. Click the affected agent's Configure Agent Settings link.

Figure 3: Configure Agent Settings

Repair Agent Communications

4. Click the Repair Agent Communications button to recreate the secure key pair between the agent on the device. If this fails, possible causes are:

Figure 4: Repair Agent Communications (click to enlarge)

Ensure certificates are up to date

Verifying Excluded Volumes

If you have excluded all volumes in Volume Level Backup Control, the backup will fail. Verify that at least one volume is active. 

Figure 5: Volume Level Backup Control (click to enlarge)

If you have attempted all troubleshooting steps described in this article and are still experiencing backup failures, please contact Datto Technical Support for further assistance.

Verify you are backing up to only one Datto appliance

Datto does not recommend protecting the same production system on more than one Datto appliance. Even with different scheduled backup times, information is stored in the same location on the protected server with the same naming schemes, and each device will overwrite the others' changes. Backing up to multiple Datto devices can cause the following problems:

  • Intermittent "Backup failed due to a problem establishing secure communications with the agent,"
  • Intermittent "Backup failed because the agent was unable to initiate the backup job"
  • Constant full backups or differential merges at random intervals.
  • VSS writer errors

If you have attempted all troubleshooting steps described in this article and are still experiencing backup failures, contact Datto Technical Support for further assistance.

Additional Resources

Was this article helpful?

31 out of 43 found this helpful

You must sign in before voting on this article.

Want to talk about it? Have a feature request?

Head on over to our Datto Community Forum or the Datto Community Online.

For more Business Management resources, see the Datto RMM Online Help and the Autotask PSA Online Help .

Still have questions? Get live help.

Datto Homepage