Azure Site Recovery reprotect to the primary region - Connection cannot be established to Azure Site Recovery service endpoints.

Ghulam Abbas 151 Reputation points
2024-03-21T12:48:41.77+00:00

Hi, We have ASR setup between 2 of our regions. In the primary region, we have our own custom DNS and using private endpoints and we have firewall in force tunneling mode. As a part of our DR test, we failed-over a test vm from our primary region to the secondary one and when trying to reprotect to the primary location, we are getting this error at "install mobility agent" stage:

Connection cannot be established to Azure Site Recovery service endpoints.

We have read several MS documentation and added all required URL as per https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-troubleshoot-network-connectivity and several others, but still getting the same error. Can we please get some suggestion to get this resolved? We also have the Firewall in the secondary region in force tunneling mode. This seems to be the DNS related issue as our DNS server is in the primary region. Can we please get some advice. Many thanks

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,687 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,142 questions
Azure Site Recovery
Azure Site Recovery
An Azure native disaster recovery service. Previously known as Microsoft Azure Hyper-V Recovery Manager.
634 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SadiqhAhmed-MSFT 37,686 Reputation points Microsoft Employee
    2024-03-22T10:44:38.7133333+00:00

    @Ghulam Abbas Sorry for the inconvenience caused to you!

    Based on the details shared in the original post, I understand that you were able to perform test failover to secondary region. However, while re-protecting the VM to primary region, you are getting an error at "install mobility agent" stage:

    I know you referred to the troubleshooting guide - https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-troubleshoot-errors#outbound-urls-or-ip-ranges-error-code-151037-or-151072 just wanted to ensure you followed the steps to fix the DNS issue as detailed in the link.
    User's image

    Also refer to this document - Re-protect failed over Azure VMs to the primary region

    User's image

    The error is clear that you cannot reach the endpoint from where the VM will download the agent.

    Connection cannot be established to Azure Site Recovery service endpoints.

    Recommended action to resolve the issue:

    1. If you are using firewall proxy to control outbound network connectivity on the VM, ensure you allow communication to the prerequisite URLs or datacenter IP ranges. Refer to https://aka.ms/a2a-firewall-proxy-guidance
    2. If you are using Azure Network security group (NSG) rules to control outbound network connectivity on the VM, ensure you allow communication to the prerequisite URLs or datacenter IP ranges. Refer to https://aka.ms/a2a-nsg-guidance

    Location and names of logs that provide error information (from all platforms: CS/PS/protected VM)

    On the source VM:

    The ASR and Office365 end points are listed in the file below. Please note these change Geo to Geo.

    C:\ProgramData\Microsoft Azure Site Recovery\Config\RCMInfo.conf

    Hope this helps. Let us know how it goes!

    If the response helped, do "Accept Answer" and up-vote it

    1 person found this answer helpful.
    0 comments