<html><body><p><font size="2">Simon,</font><br><br><font size="2">Depending on what functions are being used in Scale, other ports may also get used, as documented in</font><br>
<ul><a href="https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adv_firewall.htm"><font size="2">https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adv_firewall.htm</font></a></ul><br><font size="2">On the other hand, I'd initially speculate that you might be hitting a problem in mmnetverify itself. (perhaps some aspect in </font><font face="Calibri">mmnetverify </font><font size="2">is not taking into account that ports other than 22, 1191, 60000-61000 may be getting blocked by the firewall)</font><br><br><font size="2">Could you open a PMR for this one?</font><br><br><font size="2">Thanks,</font><br><br><font size="2"> Felipe</font><br><br><font size="2">----<br>Felipe Knop knop@us.ibm.com<br>GPFS Development and Security<br>IBM Systems<br>IBM Building 008<br>2455 South Rd, Poughkeepsie, NY 12601<br>(845) 433-9314 T/L 293-9314<br><br></font><br><br><img width="16" height="16" src="cid:1__=8FBB09B8DFD54F6D8f9e8a93df938690918c8FB@" border="0" alt="Inactive hide details for Simon Thompson ---10/19/2018 06:41:27 AM---Hi, We’re having some issues bringing up firewalls on som"><font size="2" color="#424282">Simon Thompson ---10/19/2018 06:41:27 AM---Hi, We’re having some issues bringing up firewalls on some of our NSD nodes. The problem I was actua</font><br><br><font size="2" color="#5F5F5F">From: </font><font size="2">Simon Thompson <S.J.Thompson@bham.ac.uk></font><br><font size="2" color="#5F5F5F">To: </font><font size="2">"gpfsug-discuss@spectrumscale.org" <gpfsug-discuss@spectrumscale.org></font><br><font size="2" color="#5F5F5F">Date: </font><font size="2">10/19/2018 06:41 AM</font><br><font size="2" color="#5F5F5F">Subject: </font><font size="2">[gpfsug-discuss] Spectrum Scale and Firewalls</font><br><font size="2" color="#5F5F5F">Sent by: </font><font size="2">gpfsug-discuss-bounces@spectrumscale.org</font><br><hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br><br><br><font face="Calibri">Hi,</font><br><font face="Calibri"> </font><br><font face="Calibri">We’re having some issues bringing up firewalls on some of our NSD nodes. The problem I was actually trying to diagnose I don’t think is firewall related but still …</font><br><font face="Calibri"> </font><br><font face="Calibri">We have port 22 and 1191 open and also 60000-61000, we also set:</font><br><font face="Calibri"># mmlsconfig tscTcpPort</font><br><font face="Calibri">tscTcpPort 1191</font><br><font face="Calibri"># mmlsconfig tscCmdPortRange</font><br><font face="Calibri">tscCmdPortRange 60000-61000</font><br><font face="Calibri"> </font><br><a href="https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adv_firewallforinternalcommn.htm"><u><font color="#0563C1" face="Calibri">https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adv_firewallforinternalcommn.htm</font></u></a><br><font face="Calibri">Claims this is sufficient …</font><br><font face="Calibri"> </font><br><font face="Calibri">Running mmnetverify:</font><br><font face="Calibri"># mmnetverify all --target-nodes rds-er-mgr01</font><br><font face="Calibri"> </font><br><font face="Calibri">rds-pg-mgr01 checking local configuration.</font><br><font face="Calibri"> Operation interface: Success.</font><br><font face="Calibri"> </font><br><font face="Calibri">rds-pg-mgr01 checking communication with node rds-er-mgr01.</font><br><font face="Calibri"> Operation resolution: Success.</font><br><font face="Calibri"> Operation ping: Success.</font><br><font face="Calibri"> Operation shell: Success.</font><br><font face="Calibri"> Operation copy: Success.</font><br><font face="Calibri"> Operation time: Success.</font><br><font face="Calibri"> Operation daemon-port: Success.</font><br><font face="Calibri"> Operation sdrserv-port: Success.</font><br><font face="Calibri"> Operation tsccmd-port: Success.</font><br><font face="Calibri"> Operation data-small: Success.</font><br><font face="Calibri"> Operation data-medium: Success.</font><br><font face="Calibri"> Operation data-large: Success.</font><br><font face="Calibri">Could not connect to port 46326 on node rds-pg-mgr01 (10.20.0.56): timed out.</font><br><font face="Calibri">This may indicate a firewall configuration issue.</font><br><font face="Calibri"> Operation bandwidth-node: Fail.</font><br><font face="Calibri"> </font><br><font face="Calibri">rds-pg-mgr01 checking cluster communications.</font><br><font face="Calibri"> </font><br><font face="Calibri">Issues Found:</font><br><font face="Calibri">rds-er-mgr01 could not connect to rds-pg-mgr01 (TCP, port 46326).</font><br><font face="Calibri"> </font><br><font face="Calibri">mmnetverify: Command failed. Examine previous error messages to determine cause.</font><br><font face="Calibri"> </font><br><font face="Calibri"> </font><br><font face="Calibri">Note that the port number mentioned changes if we run mmnetverify multiple times. The two clients in this test are running 5.0.2 code. If I run in verbose mode I see:</font><br><font face="Calibri"><snip></font><br><font face="Calibri"> Checking network communication with node rds-er-mgr01.</font><br><font face="Calibri"> Port range restricted by cluster configuration: 60000 - 61000.</font><br><font face="Calibri"> rds-er-mgr01: connecting to node rds-pg-mgr01.</font><br><font face="Calibri"> rds-er-mgr01: exchanged 256.0M bytes with rds-pg-mgr01.</font><br><font face="Calibri"> Write size: 16.0M bytes.</font><br><font face="Calibri"> Network statistics for rds-er-mgr01 during data exchange:</font><br><font face="Calibri"> packets sent: 68112</font><br><font face="Calibri"> packets received: 72452</font><br><font face="Calibri"> Network Traffic between rds-er-mgr01 and rds-pg-mgr01 port 60000 ok.</font><br><font face="Calibri"> Operation data-large: Success.</font><br><font face="Calibri"> Checking network bandwidth.</font><br><font face="Calibri"> rds-er-mgr01: connecting to node rds-pg-mgr01.</font><br><font face="Calibri">Could not connect to port 36277 on node rds-pg-mgr01 (10.20.0.56): timed out.</font><br><font face="Calibri">This may indicate a firewall configuration issue.</font><br><font face="Calibri"> Operation bandwidth-node: Fail.</font><br><font face="Calibri"><snip></font><br><font face="Calibri"> </font><br><font face="Calibri">So for many of the tests it looks like its using port 60000 as expected, is this just a bug in mmnetverify or am I doing something silly?</font><br><font face="Calibri"> </font><br><font face="Calibri">Thanks</font><br><font face="Calibri"> </font><br><font face="Calibri">Simon</font><tt><font size="2">_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org<br></font></tt><tt><font size="2"><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></font></tt><tt><font size="2"><br></font></tt><br><br><BR>
</body></html>