Root Cause
Starting in ZVR version 8.0, ZVM to ZVM communication will be handled over TCP port 9071, to handle encryption.
On the same page, it is noted that port 9081 (the port used by default in ZVM to ZVM communication in versions prior to 8.0) is still in use only in backward compatibility environments (i.e. one ZVM runs on 8.0 and the peer runs on 7.5).
Once both ZVMs in a pair are upgraded to 8.0, the port used for communication switches from the legacy port 9081 to port 9071. Therefore, if communication over port 9071 is not open prior to both ZVM upgrades, the sites will not be able to connect post-upgrade.
On the same page, it is noted that port 9081 (the port used by default in ZVM to ZVM communication in versions prior to 8.0) is still in use only in backward compatibility environments (i.e. one ZVM runs on 8.0 and the peer runs on 7.5).
Once both ZVMs in a pair are upgraded to 8.0, the port used for communication switches from the legacy port 9081 to port 9071. Therefore, if communication over port 9071 is not open prior to both ZVM upgrades, the sites will not be able to connect post-upgrade.
Symptoms
After performing an upgrade of ZVR to version 8.0 on both ZVMs in a pair, the GUI reports the below site disconnection alert:
The Zerto Virtual Manager is not connected to site {site_name}.
The Zerto Virtual Manager is not connected to site {site_name}.
Solution
1] Enable TCP port 9071 bidirectionally on all firewalls or access control lists (ACLs) between the ZVMs in the pair.
2] Monitor the UI for the alert to clear after a few moments.
3] Should the issue persist, perform basic connectivity checks such as ping, telnet (over port 9071), and tracert. If all connectivity checks in both directions are successful, open a case with Zerto Support.
NOTE: There is no ability to disable this security hardening enhancement. Attempts to change the port used back to port 9081 will not provide relief as ZVMs at version 8.0 are designed to encrypt and communicate over port 9071. It is recommended to enable access over port 9071 in both directions on all firewalls or ACLs between the ZVMs in a pair prior to the upgrade to version 8.0 so as to avoid this impact.
NOTE: There is also a possibility of getting stuck in a Site Disconnection if TCP port 9081 is closed prior to the updating of each site's ZVM DB and other settings to instruct the ZVMs to start using 9071. It is recommended to keep 9081 open in both directions until post-upgrade and the ZVM to ZVM traffic seen in the firewall is over 9071, no longer 9081.
NOTE: An additional possibility is the ZVM service is running under a user account that has set the proxy settings in Internet Explorer, and the proxy is configured to decrypt traffic. This will lead to a site disconnection. Ensure the proxy, if used, allowed encrypted traffic. If this is not possible, contact AssureStor Support.
2] Monitor the UI for the alert to clear after a few moments.
3] Should the issue persist, perform basic connectivity checks such as ping, telnet (over port 9071), and tracert. If all connectivity checks in both directions are successful, open a case with Zerto Support.
NOTE: There is no ability to disable this security hardening enhancement. Attempts to change the port used back to port 9081 will not provide relief as ZVMs at version 8.0 are designed to encrypt and communicate over port 9071. It is recommended to enable access over port 9071 in both directions on all firewalls or ACLs between the ZVMs in a pair prior to the upgrade to version 8.0 so as to avoid this impact.
NOTE: There is also a possibility of getting stuck in a Site Disconnection if TCP port 9081 is closed prior to the updating of each site's ZVM DB and other settings to instruct the ZVMs to start using 9071. It is recommended to keep 9081 open in both directions until post-upgrade and the ZVM to ZVM traffic seen in the firewall is over 9071, no longer 9081.
NOTE: An additional possibility is the ZVM service is running under a user account that has set the proxy settings in Internet Explorer, and the proxy is configured to decrypt traffic. This will lead to a site disconnection. Ensure the proxy, if used, allowed encrypted traffic. If this is not possible, contact AssureStor Support.