Backup job issue, incorrect function with Synology backup repository


Userlevel 7
Badge +13

Problem:

 

Like a shooting star, sometimes can happens that some backup job on a Synology NAS fails with this error:

Error: Incorrect function. Agent failed to process method {ReFs.SetFileIntegrity}.

with VB&R 11.0.1.1261 and DMS 7.0.1 with a SMB share.

It seems to be related to “Fast clone” feature inside Synology control panel.

 

 

Solution:

 

Adding this registry key in the VB&R machine seems to solve the issue

[HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication]

"UseCifsVirtualSynthetic"=dword:00000000

 

As reported in this thread, that registry key tweaks the full fast clone feature.

https://forums.veeam.com/microsoft-hyper-v-f25/error-incorrect-function-agent-failed-to-process-method-refs-setfileintegrity-t68754.html

 

 

More about this topic:

All said above, I found this topic on reddit where the issue is present on Veeam 9.5u4 and always a Synology NAS

https://www.reddit.com/r/Veeam/comments/omridr/synology_ds1821_and_veeam_95u4/

What is Fast clone:

https://kb.synology.com/en-id/DSM/help/DSM/AdminCenter/file_service_advanced_introduction?version=7


16 comments

Userlevel 7
Badge +20

Yes, but I just found that disabling feature on Synology NAS don’t solve the error. 🤔

With that reg (and switching to Active full) it goes smoothly.

That’s interesting, I wonder if readding the repository after removing the feature would be required, I don’t know how frequently Veeam would check if Fast Clone is still supported on an existing repo, as generally these attributes wouldn’t change.

Userlevel 7
Badge +12

You’re right in the case of attacker got GUI on VB&R machine and then access to veeam console, but in the case of attacker gain system shell this can’t happen (or at least I think 🤔)

 

@marcofabbri

Credentials can exported in a decrypted format in VBR PowerShell (The command was posted some years ago in the forums). MFA in the console doesn’t protect you against that :)

Userlevel 7
Badge +13

From a security perspective it won't matter much how the NAS is accessed. If an attacker gets access to the VBR server or console, you'll lose everything anyway; except if you have air-gapped or immutable backups.

But thanks for posting this @marcofabbri. I didn't know that fast clone also works via SMB. Just wondering why Veeam tries to use it if it's BTRFS, which isn't supported.

Userlevel 7
Badge +20

Thanks for sharing, it’s frustrating that we have to use that registry key as that’s the equivalent of turning off fast clone from the NAS from what I see, you don’t leverage fast clone anymore and therefore don’t get any space savings 😞

 

Can you confirm that’s what you see with your synthetic fulls now?

Userlevel 7
Badge +13

Yes, but I just found that disabling feature on Synology NAS don’t solve the error. 🤔

With that reg (and switching to Active full) it goes smoothly.

Userlevel 7
Badge +13

Yes, but I just found that disabling feature on Synology NAS don’t solve the error. 🤔

With that reg (and switching to Active full) it goes smoothly.

That’s interesting, I wonder if readding the repository after removing the feature would be required, I don’t know how frequently Veeam would check if Fast Clone is still supported on an existing repo, as generally these attributes wouldn’t change.

 

Yes, it’s a possibility!

Userlevel 7
Badge +17

Thank you for the workaround.

Do you have to use the Synology with a NAS (SMB) share? Is the problem with iSCSi present, too?

I used a SMB share for a repository only once. There were problem the whole time

 Since then I use iSCSI or FC connections everytime.

Userlevel 7
Badge +13

Thank you for the workaround.

Do you have to use the Synology with a NAS (SMB) share? Is the problem with iSCSi present, too?

I used a SMB share for a repository only once. There were problem the whole time

 Since then I use iSCSI or FC connections everytime.

On reddit discussion they say that iSCSi configuration don’t present the issue.

But @JMeixner do you connect the iSCSI directly on VB&R machine? Because it’s a security weak if an attacker got access to that machine.

Userlevel 7
Badge +17

Thank you for the workaround.

Do you have to use the Synology with a NAS (SMB) share? Is the problem with iSCSi present, too?

I used a SMB share for a repository only once. There were problem the whole time

 Since then I use iSCSI or FC connections everytime.

On reddit discussion they say that iSCSi configuration don’t present the issue.

But @JMeixner do you connect the iSCSI directly on VB&R machine? Because it’s a security weak if an attacker got access to that machine.

Yes, with a private VLAN for the iSCSi and mutual chap authentication

Userlevel 7
Badge +13

Thank you for the workaround.

Do you have to use the Synology with a NAS (SMB) share? Is the problem with iSCSi present, too?

I used a SMB share for a repository only once. There were problem the whole time

 Since then I use iSCSI or FC connections everytime.

On reddit discussion they say that iSCSi configuration don’t present the issue.

But @JMeixner do you connect the iSCSI directly on VB&R machine? Because it’s a security weak if an attacker got access to that machine.

Yes, with a private VLAN for the iSCSi and mutual chap authentication

Ok, but with this method if an attacker gain a shell/access as administrator can browse iscsi folder as a local disk and operate directly from that machine. I prefer SMB share because there’s an other different password, that windows isn’t aware of, to protect backups.
I’m absolutely not criticizing your way (hope my english doesn’t sounds like that), I’m just write-thinking!

Userlevel 7
Badge +20

Thank you for the workaround.

Do you have to use the Synology with a NAS (SMB) share? Is the problem with iSCSi present, too?

I used a SMB share for a repository only once. There were problem the whole time

 Since then I use iSCSI or FC connections everytime.

On reddit discussion they say that iSCSi configuration don’t present the issue.

But @JMeixner do you connect the iSCSI directly on VB&R machine? Because it’s a security weak if an attacker got access to that machine.

Yes, with a private VLAN for the iSCSi and mutual chap authentication

Ok, but with this method if an attacker gain a shell/access as administrator can browse iscsi folder as a local disk and operate directly from that machine. I prefer SMB share because there’s an other different password, that windows isn’t aware of, to protect backups.
I’m absolutely not criticizing your way (hope my english doesn’t sounds like that), I’m just write-thinking!

On this topic, the password would be stored within Veeam’s database wouldn’t it? So it would be extractable? Interested in your thoughts on this.

 

From a reliability & performance perspective I’d only use a NAS if it was presenting LUNs due to all of the protocol issues with SMB/NFS.

 

In all scenarios these are less secure than DAS and hardened repo, especially since to delete the data from the NAS we could just open Veeam and delete the backups from the NAS via the GUI, no need for credentials

Userlevel 7
Badge +13

In all scenarios these are less secure than DAS and hardened repo, especially since to delete the data from the NAS we could just open Veeam and delete the backups from the NAS via the GUI, no need for credentials

Oh. Never thought about that.

You’re right in the case of attacker got GUI on VB&R machine and then access to veeam console, but in the case of attacker gain system shell this can’t happen (or at least I think 🤔)

Fortunately with ver.12 we’ll get MFA on VB&R console!

On this topic, the password would be stored within Veeam’s database wouldn’t it? So it would be extractable? Interested in your thoughts on this.

Absolutely with a “classic SMB”, but not in case of hardened repository with single-use credentials!

But as Rick once said “anyone on a network with administrative access & unlimited time will eventually do something bad.”

Userlevel 7
Badge +17

Interesting discussion.

I am glad to hear your opinions about this.

Userlevel 7
Badge +13

You’re right in the case of attacker got GUI on VB&R machine and then access to veeam console, but in the case of attacker gain system shell this can’t happen (or at least I think 🤔)

 

@marcofabbri

Credentials can exported in a decrypted format in VBR PowerShell (The command was posted some years ago in the forums)

MFA doesn’t protect you against that :)

Oh thanks @Mildur  now I’m so curious about that script!!

Userlevel 7
Badge +13

Still working on version 12.

Now there’s even a KB about: https://www.veeam.com/kb4381

Userlevel 7
Badge +20

Thanks for sharing this.  I use Synology at home so will test this out for sure as that is my backup appliance along with VMs, etc.

All-in-one 😋😂

Comment