Avamar: Client Browsing and Backup Issues

Summary: Admin Graphical User Interface (UI) cannot browse client or run backups (waiting‑client) because the utility node cannot reach the client on its avagent port (default 28002, 28003+, or 30002 with certification). Verify the Domain Name System (DNS) resolves names, ensure avagent runs, test telnet connectivity, and allow ports 28001‑28011/30001‑30011 in firewalls. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Client Browsing and Backup Issues

Symptoms observed when the Avamar Admin UI cannot communicate with a client.

  • The admin UI cannot browse the client’s file system.
  • Backup jobs remain in a waiting‑client state and never start.
  • Manual backup attempts fail with a "waiting‑client" status.
  • Avagent log on the client contains errors such as:
2017-03-06 05:16:16 avagent Error <5365>: Cannot connect to <ip address>:28001.
2017-03-06 05:16:16 avagent Error <5365>: Cannot connect to AVAMAR_GRID:28001.
  •  Telnet to the client’s listening port (such as, 28002, 28003, 30002) times out or fails to connect.
  • DNS lookup for the client or utility node fails or resolves to an incorrect IP address.
  • The avagent.bin process is not running on the client.
  • Firewall logs indicate blocked ports (such as ports above 28011 or 30011).

Cause

Communication failures between Avamar Utility Node and client

Port and service availability issues:

The Admin UI contacts each client on a specific listening port. If the required port is not open, not listening, or blocked, the UI cannot browse the client and backups remain in a "waiting‑client" state.

  • Linux/UNIX file‑level backups use port 28002 on the client.
  • NDMP clients use ports 28003 and higher (or 30002 when certification authentication is enabled).
  • The Utility node listens on ports 28001 (or 30001 with certification authentication).

Avagent process not running:

If the avagent.bin process is absent on the client, the client does not listen on its assigned port, causing connection failures.

# Verify avagent processes
ps -ef | grep avagent

 Expected output includes one avagent.bin instance per client, each showing its --listenport argument.

DNS resolution problems:

Failure to resolve the Utility node name (for example, AVAMAR_GRID) from the client prevents the client from establishing a TCP connection.

nslookup AVAMAR_GRID

 If the name does not resolve, the client cannot locate the Utility node, leading to backup failures.

Firewall or routing blocks:

Firewalls on either the Utility node or the client may block the required port ranges (28001‑28011, 30001‑30011, etc.), resulting in time‑outs or "no path to server" errors.

# Example of a blocked connection
telnet <ip address> 28001
telnet: connect to address <ip address>: Connection timed out

 Incorrect or missing avfirewall rules

The Avamar‑specific firewall ( avfirewall) on the Utility node blocks ports above 28011 and 30011 by default. If a client uses a higher port, communication is denied.

# Sample avfirewall rule set
exec_rule -A INPUT  -p tcp --dport 28001:28011 -j ACCEPT
exec_rule -A INPUT  -p tcp --dport 30001:30011 -j ACCEPT
Note: Firewall rules blocking the client’s listening port or the Utility node’s service ports prevent browsing and cause backups to remain in a waiting state.

Resolution

Troubleshooting Steps for Admin UI Client Browsing and Backup Failures

1. Verify DNS resolution for the client and the utility node.
Ensure that the client's name and the Avamar Utility Node name resolve to the correct IP addresses.

  • From the client, run a DNS lookup for the utility node.
  • From the utility node, run a DNS lookup for the client.
# On the client
$ nslookup AVAMAR_GRID

# On the utility node
$ nslookup client_name
Caution: Always back up /etc/resolv.conf before editing it.
  • If the name does not resolve, edit /etc/resolv.conf to point to the correct name‑server IPs, then retry the lookup.

2. Confirm that the required ports are reachable.
Test connectivity from the utility node to the client and from the client to the utility node on the ports used by avagent.

  • Identify the client’s listening port (default 28002 for Linux/UNIX file‑level backups, 28003+ for NDMP, 30002 if certification authentication is enabled).
  • From the utility node, telnet to the client’s port.
  • From the client, telnet to the utility node’s port (28001 or 30001).
# From utility node to client
$ telnet client_ip 28002
Trying client_ip….
Connected to client_ip.
Escape character is '^]'.

# From client to utility node
$ telnet AVAMAR_GRID 28001
Trying utility_ip….
Connected to utility_ip.
Escape character is '^]'.
Warning: A timeout or "connection refused" indicates a firewall or routing issue. Do not proceed until the ports are open.
  • Check for the avagent.bin process.
  • If it is not running, start the service.
  • Review the avagent.log for errors.
# Check for avagent processes.
$ ps -ef | grep avagent

# Start the service if missing.
$ service avagent start

# Verify the process again.
$ ps -ef | grep avagent

# View the log (path may vary)
$ cat /usr/local/avamar/var/avagent.log
Note: One avagent.bin process should exist for each client plus one for the Linux utility node.

4. Review and adjust firewall settings.
Both the Avamar firewall (avfirewall) and any host‑based firewall must allow the required port ranges.

  • Temporarily stop avfirewall to rule out blocking.
  • Confirm that the utility node’s firewall rules include the ranges 28001‑28011 and 30001‑30011.
  • If using a host‑based firewall (iptables, firewalld, etc.), add rules to permit the same ranges.
# Stop avfirewall (temporary)
$ service avfirewall stop

# Example iptables rules (adjust as needed)
$ iptables -A INPUT -p tcp --dport 28001:28011 -j ACCEPT
$ iptables -A OUTPUT -p tcp --dport 28001:28011 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 30001:30011 -j ACCEPT
$ iptables -A OUTPUT -p tcp --dport 30001:30011 -j ACCEPT
Warning: Disabling firewalls can expose the system to unauthorized access. Re-enable them after testing and ensure that only the required ports are open.
It is not recommended to manually change the firewall configuration.
On the next upgrade, this data will be lost.
It is recommended to use the edit-firewall-rules.sh or goav scripts to update the IP access list.
 
Avamar server:
Details on running the edit-firewall-rules.sh can be found in KB 19911.
Avamar: How to add or remove custom Avamar firewall rules with edit-firewall-rules.sh

Or

NDMP accelerator:
Goav ndmp firewall [command]
Avamar: How to Use Goav Network Data Management Protocol Firewall Menu
This walks you through the same configuration as the edit-firewall-rules.sh but in a simpler process.
 
5. Register the client using its IP address (workaround for DNS issues)
If DNS cannot be corrected quickly, register the client to the grid by IP.

 

# Run avregister on the client
$ avregister -g AVAMAR_GRID -i client_ip

Note: Using the IP address bypasses name resolution but does not replace a proper DNS fix.

6. Validate the resolution

  • From the Avamar Admin UI, attempt to browse the client.
  • Initiate a manual backup and verify that it no longer shows "waiting‑client."
  • Re‑run the telnet tests to confirm ports remain open.
  • Check the backup logs for successful completion.
# Example backup log snippet indicating success
[2025-10-13 10:45:22] INFO Backup job completed successfully for client_name

 

If the issue persists after completing all steps, contact Dell Support and provide the log excerpts and firewall rule set.

Affected Products

Avamar

Products

Avamar
Article Properties
Article Number: 000065540
Article Type: Solution
Last Modified: 14 Oct 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.