Unable to connect to Cache Service Endpoint due to port blockage

 

When an on-premises client tries to connect to the new Cache Service (Preview) endpoint it might sometimes get below error

 

ErrorCode<ERRCA0017>:SubStatus<ES0006>:There is a temporary failure. Please retry later. (One or more specified cache servers are unavailable, which could be caused by busy network or servers. For on-premises cache clusters, also verify the following conditions.

Ensure that security permission has been granted for this client account,

and check that the AppFabric Caching Service is allowed through the firewall on all cache hosts.

Also the MaxBufferSize on the server must be greater than or equal to the serialized object size sent from the client.). Additional Information : The client was trying to communicate with the server: net.tcp://<cache endpoint>.cache.windows.net:24233.

 

One of the reasons can be that the port no. given in the error (24233 in this case) is blocked on the machine or in the network. A quick way to verify port blockage is to run a telnet test on the cache service endpoint and the port no. from error. If it fails then it means that the port is blocked. Here is a sample telnet command that I ran for my cache endpoint

telnet blahcache.cache.windows.net 24233

and

telnet blahcache.cache.windows.net 22233

 

You must open outbound communication for the port no. given in the error to fix this error. Also ensure that the default cache port 22233 is also open for outbound communication.

 

Ideally the ports that must be open for outbound communication in your firewall/ network for Cache Service are

NonSSL: 24233 and range 22233 to 22265

SSL: 25233 and range 23233 to 23265

 

When you provision a cache service endpoint it internally provisions VMs of appropriate sizes for you so that the endpoint front ends the request but the data is distributed across those VMs (as noted by ScottGu).

So the way this works is when the client makes the very first connection to cache service it talks over port 24233 (non SSL) or 25233 (SSL) and then it downloads the internal topology of how many service instances are laid out for you. Every service instance would listen on a port, for non SSL it starts from 22233 and for SSL it starts from 23233 and since the client knows the instance ids it just adds instance ids to the starting port to determine the instance it wants to talk to.

Every cache size unit corresponds to a VM internally hence total cache size divided by cache unit is the no. of VM provisioned and the ports. E.g. for five VMs the ports should be from 22233 to 22237 (non SSL) and 23233 to 23237 (SSL).