Veeam 9.5 FLR from NetApp storage fails using NFS

If you are using NFS volumes from a NetApp cDOT Cluster as datastore and you want to do a File Level Restore (FLR) with Veeam 9.5 the datastore fails to mount with permission denied from server.

This is because Veeam makes a new Export Rule in your root Export Policy if you have set the ip address of your ESXi to read-only as per Best Practises of NetApp. Veeam puts the new rule as number 1. So it is not possible to mount the datastore obviously:

cluster::> export-policy rule show -vserver vmwaresvm -fields rorule,rwrule
vserver policyname ruleindex rorule rwrule ipaddress
———– ——————- ——— —— —— ———–
vmwaresvm ex_vmwaresvm_lab1 8 any any  10.10.1.20
vmwaresvm ex_vmwaresvm_lab1 9 any any  10.10.1.21
vmwaresvm ex_vmwaresvm_lab1 10 any any 10.10.1.22
vmwaresvm ex_vmwaresvm_root 1 none any 10.10.1.20
vmwaresvm ex_vmwaresvm_root 9 any none 10.10.1.20
vmwaresvm ex_vmwaresvm_root 10 any none 10.10.1.21
vmwaresvm ex_vmwaresvm_root 11 any none 10.10.1.22

The workaround is to set the Export Rule for the ip address of the ESXi to read-write before the restore:

cluster::> export-policy rule show -vserver vmwaresvm -fields rorule,rwrule
vserver policyname ruleindex rorule rwrule ipaddress
———– ——————- ——— —— —— ———–
vmwaresvm ex_vmwaresvm_lab1 8 any any 10.10.1.20
vmwaresvm ex_vmwaresvm_lab1 9 any any 10.10.1.21
vmwaresvm ex_vmwaresvm_lab1 10 any any 10.10.1.22
vmwaresvm ex_vmwaresvm_root 9 any any 10.10.1.20
vmwaresvm ex_vmwaresvm_root 10 any any 10.10.1.21
vmwaresvm ex_vmwaresvm_root 11 any any 10.10.1.22

In my opinion it is not a secure workaround because someone can mount your SVM root volume and write to it.

Let me know if you have the same issues…

BTW the same problem exists with Veeam 9.0 but the new rule will not be placed as number 1 so it works as expected…

UPDATE: This problem is solved with Veeam 9.5U2 by unchecking the following tick: