Article number
Affected Versions
Source Hypervisor
Target Hypervisor

How to connect to a ZCC via SSH and perform connectivity troubleshooting steps

Viewed 2241 times


A Zerto administrator may require ZCC access to perform network troubleshooting between tenants and cloud sites.  For this reason, we are providing an SSH key for customers to access the ZCC via SSH. 

** Note: This KB applies to newly deployed ZCCs from Zerto version 7.0 and newer, and not existing ZCC that were installed prior to version 7.0.**


Starting from Zerto version 7.0, the Zerto Virtual Replication installation folder will contain a sub-folder called Secrets. Please note that only a user account with administrative access on the ZVM server can access this folder. 

The Secrets folder will contain a file named ssh.ppk which can be loaded into PuTTY to securely connect to the ZCC via SSH as the "root" user (no password required). 

User-added image

To connect to the ZCC, follow these steps: 

  1. Once you have located the ssh.ppk in the Secrets folder, open PuTTY which is also located at the ZVR installation folder, and navigate to the Auth menu (Connection -> SSH -> Auth). 

 User-added image

  1. Click on the "Browse" button and load the SSH key file into PuTTY. 

  1. Navigate to the "Session" menu, enter the ZCC’s IP address in the "Host Name (or IP address)" bar, and click "Open". 

  1. Click Yes on the host’s SSH fingerprint alert 

 User-added image

  1. Use "root" as the username and press "Enter"

You should be now logged into the ZCC. 


Network Troubleshooting:

Collect the Environmental information:
•Source Customer ZVM IP =
•Source VRA IPs =
•Customer / Org facing IP (eth1) of the ZCC =
•Cloud(MSP)facing IP (eth0) of the ZCC=
•Managed Service Provider VRA IPs =
•Managed Service Provider ZVM IP=

First use the following ZCC command to view the VRAs <--> ZCC port forwarding rules:

  • Type: iptables-save > iptables.txt
  • Type: less iptables.txt

From the Source ZVM to the ZCC: 

Telnet from Source Customer ZVM IP -> Customer / Org facing IP (eth1) of the ZCC
(Port 9081 if version < 8.0 on one or both ZVM's or port 9071 if version >=8.0 on both ZVM's)


From the ZCC to the VRAs: 

To check the connection between the ZCC and the Cloud's/Tenant's VRAs, run a continuous ping followed by a Telnet over ports 4007 + 4008 to at least one VRA in each site to make sure there is no packet loss and that none of the required ports of communication are blocked.

From the VRAs to the ZCC: 

Then, connect to at least one VRA (following the KB: "Connecting to a VRA via SSH") on the Cloud's site and one VRA on the Tenant's site and check the connection to the ZCC's cloud facing NIC and customer-facing NIC respectively via continuous ping and Telnet over the ports specified in the iptables.txt file for each VRA.