Avamar: VMware File level restore may fail due to NAT configuration

Summary: This knowledge base article aims to address the issues observed when using Avamar File Level Restore (FLR) with network address translation (NAT). FLR operations may fail due to IP mismatches caused by NAT. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

  • FLR jobs initially start but fail to complete.
  • Smaller files (such as 20 KB to 2.7 MB) restore successfully, but larger files (for example, 25 MB or 90 MB) fail.
  • This problem affects all virtual machines file level restore in this particular environment.
  • HTTP server (Jetty) 500 errors appear in access logs during restore attempts.
  • Jetty access log show unusual IP addresses (for example the client IP ending in 0.1 or 0.254 which is likely a gateway address).

Cause

The issue arises from the way FLR handles file transfer operations, depending on the job size:

  1. Tiny Restore Jobs:

    • When the FLR job transfers a small amount of data (total bytes < 5 MB and total files < 10), it uses the vSphere API to restore files. The vSphere API file transfers bypass VM NAT configurations, as the VM guest network is not involved in the transfer.

  2. Large Restore Jobs:

    • For larger FLR jobs that surpass the tiny restore job criteria, Avamar switches to using secure wget/BatchDownload scripts to transfer files more efficiently.
    • This method creates temporary files and tokens to manage the secure transfer, which relies on the client's IP address matching an expected value.

When NAT is enabled in the network, it changes the source IP address of the client in the request. This causes a mismatch between the stored client IP in the token table and the IP address from which the request is made. Therefore the token verification process fails, leading to failure in file restoration.

    Resolution

    The use of NAT with Avamar FLR is not supported. Here are the recommended steps:

    1. Disable DNAT:

      • Work with the network team to disable DNAT for the environment where Avamar FLR is being used. This is the most effective way to ensure that FLR operations can proceed without IP address mismatches.

    2. Identify if DNAT is Enabled:

      • Confirm with the network team if DNAT is enabled. Example logs may show mismatched source IPs like 192.168.1.1, which could be the gateway IP due to DNAT.

    3. Workaround - Disable BatchDownload.exe/wget Workflow:

    As a workaround, you can disable the BatchDownload.exe workflow and force FLR to use vSphere guest file operations instead. This impacts the speed of FLR operations, making them slower.
    I. On the proxy, edit the configuration file: 
    /usr/local/avamarclient/bin/config.xml
    II.  Change the following line from: 
    <enablewgetrestore>1</enablewgetrestore>
    To this:  
    <enablewgetrestore>0</enablewgetrestore>

    III. After making the configuration change, restart the vmwareflr.service. 
    systemctl restart vmwareflr && systemctl restart avagent.service
         

    Affected Products

    Avamar
    Article Properties
    Article Number: 000283981
    Article Type: Solution
    Last Modified: 22 May 2025
    Version:  2
    Find answers to your questions from other Dell users
    Support Services
    Check if your device is covered by Support Services.