Skip to main content

NAS Backup Failing with Druva Error 290 – AWS EFS Mount Access Denied

NAS Backup Failing with Druva Error 290 – AWS EFS Mount Access Denied

Updated over 3 weeks ago

Problem description

NAS backup jobs for a specific AWS EFS share (fs-0xxxxxxxxxxxxxxxx) are consistently failing with Error 290 – mount failure when using Druva. While other EFS shares on the same NAS proxy may function correctly, this particular EFS file share consistently fails to mount, preventing the backup from completing.

Cause

The failure occurs because the AWS EFS file system policy lacks the necessary IAM permissions to authorize the connection. Specifically, the actions elasticfilesystem:ClientMount, elasticfilesystem:ClientWrite, and elasticfilesystem:ClientRead are missing or explicitly denied for the EC2 instance role acting as the Druva NAS proxy. Without these permissions, the AWS EFS service denies the mount request at the protocol level.

Traceback

Download the logs from the Druva console and inspect the nas_<jobid>.log file for the following entries:

Plaintext

Error 290 – Mount Failure mount.nfs: access denied by server while mounting fs-0xxxxxxxxxxxxxxxx.efs.<aws_region>.amazonaws.com:/ nfsexports.c:115: nfs_service failed backup.go:517: Unable to create NFS Filesystem, I/O error code:-5 mount_point_unix.go:51: Connection timed out backup.go:227: Mount failed backup.go:102: Backup job Failed REST Server Crash main.go:263: Rest Server Exited unexpectedly

Resolution

1. Verify Proxy Connectivity

  • Confirm that the NAS proxy EC2 instance has a valid network path to the EFS mount targets via the VPC.

  • Validate DNS resolution: Run dig fs-0xxxxxxxxxxxxxxxx.efs.<aws_region>.amazonaws.com to ensure the proxy can resolve the EFS endpoint.

2. Review and Update EFS File System Policy

  • Navigate to the AWS EFS Console and select the affected file system.

  • Click on the File system policy tab.

  • Ensure the policy grants the following permissions to the IAM Role attached to your Druva NAS Proxy:

    • elasticfilesystem:ClientMount

    • elasticfilesystem:ClientRead

    • elasticfilesystem:ClientWrite (Required if performing restores or metadata updates)

3. Verify Security Groups

  • Confirm that the EFS Security Group allows inbound traffic on TCP Port 2049 (NFS) from the NAS Proxy's Security Group or IP address.

4. Manual Mount Test

Perform a manual mount on the proxy to isolate the issue from the Druva agent:

  1. Create a temporary directory: mkdir /tmp/efs_test

  2. Attempt to mount: sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport <fs-id>.efs.<region>.amazonaws.com:/ /tmp/efs_test

  3. If this fails with "Access Denied," the issue remains within the AWS Policy or IAM configuration.

Verification

  1. Manual Check: Successfully list files in the manual mount point created in the resolution steps (ls /tmp/efs_test).

  2. Druva Console: Trigger a manual backup of the NAS share.

  3. Log Confirmation: Monitor nas_<jobid>.log to ensure the "Mount failed" error no longer appears and the status transitions to "Backing up."

Related Articles
Support for Amazon FSx for Windows and Amazon EFS
NAS backup completes successfully but generates errors related to file access.
Unable to upgrade NAS Proxies from Druva Console
NAS NFS Share backup failed with Error 265
NAS Backup Fails with "failed to mount nas share as given network path not found" Error
Did this answer your question?