Article number
Affected Versions
Source Hypervisor
Target Hypervisor

How to connect to a ZCC using plink

Viewed 495 times


An administrator may wish to access a ZCC in their environment to perform various tasks, such as connectivity tests and troubleshooting steps guided by Support.  

Since Zerto version 7.0 and newer, you will now have access to the ZCC via an SSH key located in the ZVR installation directory. Please note that this ONLY applies to ZCCs that have been deployed on ZVR 7.0 and newer. This will not work on a ZCC that have been upgraded to ZVR 7.0. 



Starting in version 7.0, Zerto has enabled using plink to run commands on the ZCC. Plink is a command-line connection tool that comes as a part of the PuTTY suite, which exists in the ZVR installation folder.  

The SSH key file is located in the ZVM installation folder, in a folder named ‘Secrets’. The default location is 'C:\Program Files\Zerto\Zerto Virtual Replication\'. Please note that only a user account with administrative access on the ZVM VM can access the secrets folder. 

In order to use plink, open CMD in the ZVM installation folder, then, run your desired command in the following syntax: 
plink -i <path to key file> <user>@<ZCC IP address> “<command>”

Common connectivity troubleshooting commands: 

  • Pinging peer VRA: 

plink -i Secrets/ssh.ppk root@<ZCC IP address> “ping -c 20 <Peer VRA Address>”

If packet loss is apparent, then a site disconnection error is expected in the ZVR GUI, as Zerto requires zero packet loss. 

  • Telnet to a peer VRA:

plink -i Secrets/ssh.ppk root@<ZCC IP address> “timeout 3 telnet <Peer VRA/ZCC Address> <port>”

Note: The ZCC communicates with VRAs over ports 4007 and 4008. If one of the ports above is blocked, then a site disconnection error in the ZVR GUI is expected. 

If the issue was still not diagnosed, please open a Support ticket with the findings from the actions described above. 

The IP tables

To view the list of port forwarding rules made by the ZCC, and determine which port is used to communicate with which VRA, you can review the IPtables configured on the ZCC VM. 

It is important to understand that the ZCC has two NICs attached to it. eth0, which is the cloud ZVM facing NIC, and eth1, which is facing the customer’s ZVM.  

Now run the following command:
plink -i Secrets/ssh.ppk root@<ZCC IP address> “iptables-save”   

Go through the output and look for the section where entries start with “-A PREROUTING”. 

The proper way to read these entries is as follows: 
-A PREROUTING -i <NIC of incoming traffic> -p tcp -m tcp --dport <incoming port> -j DNAT --to-destination <destination host>:<destination port>

Let’s review an example rule: 
-A PREROUTING -i eth1 -p tcp -m tcp --dport 9081 -j DNAT --to-destination

This means that any incoming traffic to eth1 (customer-facing NIC) over port 9081 will be forwarded to the host with an IP of over port 9081. 

We can use this information to troubleshoot network issues, as described in the ping and telnet sections above.  


  • The ZCC will always forward the communication to VRAs on both the customer’s and the cloud’s sites over ports 4007 and 4008, and ZVMs over port 9081. The port range that starts from 9082+ is for incoming traffic into the ZCC. To troubleshoot network connectivity issues, refer to the ping and telnet sections above. 
  • You should be able to telnet successfully to all VRAs over ports 4007 and 4008. You should also be able to telnet the customer’s ZVM over port 9081, but telnet to the Cloud ZVM over port 9081 is expected to fail. 
  • Do not attempt to alter the iptables. This could cause severe issues to the ZCC.