Problem Description
VMware snapshot backups fail with error code VMWARE_VDDK1. The backup job fails while opening one or more VMDK files, and the logs indicate SSL and NFC connectivity issues between the backup proxy and the ESXi host.
Although the error message suggests a disk permission issue, the failure is typically caused by SSL certificate validation errors on the ESXi host, which prevent successful NFC (port 902) communication required by VMware VDDK.
Symptoms
You may observe one or more of the following:
Backup jobs fail with error VMWARE_VDDK1
Phoenix logs report:
You do not have access rights to one or more vmdk files
VDDK logs show:
Failed to connect to peer
certificate verify failed
unable to get local issuer certificate
NFC connection failures on port 902
Traceback
Phoenix Job Logs
Location:PhoenixLogs-Job<jobid>\<backupset>\PhoenixJob<jobid>\Phoenix.<timestamp>
[ERROR] VDDK error[13] You do not have access rights to this file.
[ERROR] Failed to open the Disk <vm-name>.vmdk
(Error Code : VMWARE_VDDK1)
VDDK Logs
Location:PhoenixLogs-Job<jobid>\<backupset>\PhoenixJob<jobid>\VDDK.zip
[NFC ERROR] Failed to connect to peer
SSL Error: certificate verify failed
unable to get local issuer certificate
Couldn't connect to <esx-host>:902
Cause
This issue can occur due to one or more of the following reasons:
The SSL certificate on the ESXi host is expired or outdated
The ESXi host is unable to retrieve the latest SSL certificate from vCenter
SSL trust mismatch between vCenter and ESXi
NFC (port 902) connectivity failure caused by certificate validation errors
Resolution
Step 1: Validate the ESXi Host Certificate
Migrate the affected virtual machine to another ESXi host in the same cluster.
Trigger the backup again.
If the backup succeeds on the new host, it confirms that the original ESXi host has an expired or outdated SSL certificate.
Step 2: Renew the ESXi Host SSL Certificate
Renew the SSL certificate on the affected ESXi host using VMware-recommended procedures.
Ensure that:
The host retrieves the latest certificate from vCenter
The certificate chain is valid and trusted
Step 3: Reboot the ESXi Host (If Required)
If the issue persists after certificate renewal:
Migrate all virtual machines off the affected ESXi host.
Reboot the ESXi host.
Allow the host to re-register and retrieve updated certificates from vCenter.
Step 4: Verify Network Connectivity
Ensure that port 902 is open between:
Backup Proxy and ESXi host
Confirm that no firewall or security device is blocking NFC traffic.
Verification:
After completing the above steps:
Re-trigger the failed backup jobs
Monitor Phoenix and VDDK logs for errors
Confirm successful snapshot creation and disk access