When you try to start a backup for a system protected by the ShadowSnap agent, you receive the error message, "Backup failed due to a problem establishing secure communications with the agent."
In legacy versions of the Datto IRIS environment, this error message was "Backup failed as job (401: Unauthorized ) was unable to be assigned."
- ShadowSnap Agent
- The ShadowProtect, StorageCraft ShadowCopy Provider, or StorageCraft Raw Agent service may not be running on the protected system.
- The creation of the ShadowSnap key file may have been interrupted during the pairing between the ShadowSnap Agent and the Datto appliance.
- A proxy server or network security element may be interrupting communication between the ShadowSnap Agent and the Datto Appliance and blocking or filtering ports 25566, 445 and 139.
- The server's local DNS is unable to resolve
- The license may be expired if you have uninstalled and reinstalled ShadowProtect.
- Agent certificates have expired and have not automatically renewed as they should.
- You have not selected and volumes on the protected machine for backup.
- You are backing up the same system on more than one Datto Device.
- Check Agent Services
- Check Network Settings
- Check the License Status
- Check for Job Already in Progress
- Verify Agent Settings
- Repair Agent Communications
- Ensure certificates are up to date
- Verifying Excluded Volumes
- Verify you are backing up to only one Datto appliance
Check Agent Services
Check that all three services are present on the protected machine via services.msc:
- StorageCraft Raw Agent
- StorageCraft Shadow Copy Provider
- ShadowProtect Service
Stop the StorageCraft ImageReady service. Then, right-click the service and go to Properties. Change the Startup Type to Manual.
Open task manager, and end the processes of any instances of the following services:
Restart the services through the services.msc console.
Check Network Settings
Ensure that all Local/Edge hardware or software has the proper exceptions configured. Depending on the software/hardware, you will need the following information:
- Website: activate.storagecraft.com
- IP address: 220.127.116.11
- Local Service: ShadowProtectSvc.exe
To view the proxy settings use the following commands from a CMD prompt:
Netsh.exe: Netsh winhttp show proxy(with Vista / Server 2008 or newer)
Reset the proxy to "Direct," which will delete any entries listed.
Proxycfg.exe: Proxycfg.exe –d
Netsh.exe: Netsh winhttp reset proxy(with Vista / Server 2008 or newer)
Check the Windows Firewall or any Antivirus to make sure exceptions exist for the ShadowSnap application to access ports TCP 25566, TCP / UDP 445, and TCP / UDP 139.
Check the License Status
Open the StorageCraft ShadowProtect program and check the license status:
Figure 1: An active license
The license should read as Active.
- If the license shows expired, follow the steps in the Repair Agent Communications section of this article to re-pair the agent with your Datto appliance. The ShadowProtect software will automatically attempt to reprovision its license during this process.
- If it is disconnected, retry the steps for restarting the services for ShadowProtect and ShadowSnap. Ensure that the ShadowProtect software is 5.0.x.
Check for Job Already in Progress
The agent may think a backup job is already running. To resolve this, rename the database where the job state is residing:
- Open services.msc, and stop the StorageCraft Raw Agent service.
- Navigate to C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap.
- Find the endptconfig.sqlite3 file and append .old to the end of the filename.
- Restart the StorageCraft Raw Agent service.
- Repair agent communications on the device, and attempt another backup job.
Verify Agent Settings
The following troubleshooting steps involve modifying the agent settings on the Datto appliance. To navigate to an agent's settings:
1. Access the Datto appliance's GUI.
2. Click the Protect tab.
3. Click the affected agent's Configure Agent Settings link.
Figure 3: Configure Agent Settings
Repair Agent Communications
4. Click the Repair Agent Communications button to recreate the secure key pair between the agent on the device. If this fails, possible causes are:
- The IP address or host of the agent is unreachable. You can rename it if necessary.
- One or more of the ShadowSnap services are not running.
- The ShadowProtect license is expired or disconnected.
- Communication between the Datto appliance and the agent is filtered or blocked.
Ensure certificates are up to date
- Ensure agent certificates are up to date. See SIRIS, ALTO, and NAS: Root certificate expiration for details.
Verifying Excluded Volumes
If you have excluded all volumes in Volume Level Backup Control, the backup will fail. Verify that at least one volume is active.
If you have attempted all troubleshooting steps described in this article and are still experiencing backup failures, please contact Datto Technical Support for further assistance.
Verify you are backing up to only one Datto appliance
Datto does not recommend protecting the same production system on more than one Datto appliance. Even with different scheduled backup times, information is stored in the same location on the protected server with the same naming schemes, and each device will overwrite the others' changes. Backing up to multiple Datto devices can cause the following problems:
- Intermittent "Backup failed due to a problem establishing secure communications with the agent,"
- Intermittent "Backup failed because the agent was unable to initiate the backup job"
- Constant full backups or differential merges at random intervals.
- VSS writer errors
If you have attempted all troubleshooting steps described in this article and are still experiencing backup failures, contact Datto Technical Support for further assistance.