<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Just to close the loop on this, IBM support confirmed it’s a bug in mmnetverify and will be fixed in a later PTF. (I didn’t feel the need for an EFIX for this)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Simon<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black"><gpfsug-discuss-bounces@spectrumscale.org> on behalf of Simon Thompson <S.J.Thompson@bham.ac.uk><br>
<b>Reply-To: </b>"gpfsug-discuss@spectrumscale.org" <gpfsug-discuss@spectrumscale.org><br>
<b>Date: </b>Friday, 19 October 2018 at 14:39<br>
<b>To: </b>"gpfsug-discuss@spectrumscale.org" <gpfsug-discuss@spectrumscale.org><br>
<b>Subject: </b>Re: [gpfsug-discuss] Spectrum Scale and Firewalls<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Yeah we have the perfmon ports open, and GUI ports open on the GUI nodes. But basically this is just a storage cluster and everything else (protocols etc) run in remote clusters.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I’ve just opened a ticket … no longer a PMR in the new support centre for Scale<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Simon<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black"><gpfsug-discuss-bounces@spectrumscale.org> on behalf of "knop@us.ibm.com" <knop@us.ibm.com><br>
<b>Reply-To: </b>"gpfsug-discuss@spectrumscale.org" <gpfsug-discuss@spectrumscale.org><br>
<b>Date: </b>Friday, 19 October 2018 at 14:05<br>
<b>To: </b>"gpfsug-discuss@spectrumscale.org" <gpfsug-discuss@spectrumscale.org><br>
<b>Subject: </b>Re: [gpfsug-discuss] Spectrum Scale and Firewalls</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p><span style="font-size:10.0pt">Simon,</span><br>
<br>
<span style="font-size:10.0pt">Depending on what functions are being used in Scale, other ports may also get used, as documented in</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"><a href="https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adv_firewall.htm"><span style="font-size:10.0pt">https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adv_firewall.htm</span></a><o:p></o:p></p>
<p class="MsoNormal"><br>
<span style="font-size:10.0pt">On the other hand, I'd initially speculate that you might be hitting a problem in mmnetverify itself. (perhaps some aspect in
</span>mmnetverify <span style="font-size:10.0pt">is not taking into account that ports other than 22, 1191, 60000-61000 may be getting blocked by the firewall)</span><br>
<br>
<span style="font-size:10.0pt">Could you open a PMR for this one?</span><br>
<br>
<span style="font-size:10.0pt">Thanks,</span><br>
<br>
<span style="font-size:10.0pt">Felipe</span><br>
<br>
<span style="font-size:10.0pt">----<br>
Felipe Knop knop@us.ibm.com<br>
GPFS Development and Security<br>
IBM Systems<br>
IBM Building 008<br>
2455 South Rd, Poughkeepsie, NY 12601<br>
(845) 433-9314 T/L 293-9314<br>
<br>
</span><br>
<br>
<img border="0" width="16" height="16" style="width:.1666in;height:.1666in" id="_x0000_i1026" src="cid:image001.gif@01D475D7.E5F25770" alt="Inactive hide details for Simon Thompson ---10/19/2018 06:41:27 AM---Hi, We’re having some issues bringing up firewalls on som"><span style="font-size:10.0pt;color:#424282">Simon
Thompson ---10/19/2018 06:41:27 AM---Hi, We’re having some issues bringing up firewalls on some of our NSD nodes. The problem I was actua</span><br>
<br>
<span style="font-size:10.0pt;color:#5F5F5F">From: </span><span style="font-size:10.0pt">Simon Thompson <S.J.Thompson@bham.ac.uk></span><br>
<span style="font-size:10.0pt;color:#5F5F5F">To: </span><span style="font-size:10.0pt">"gpfsug-discuss@spectrumscale.org" <gpfsug-discuss@spectrumscale.org></span><br>
<span style="font-size:10.0pt;color:#5F5F5F">Date: </span><span style="font-size:10.0pt">10/19/2018 06:41 AM</span><br>
<span style="font-size:10.0pt;color:#5F5F5F">Subject: </span><span style="font-size:10.0pt">[gpfsug-discuss] Spectrum Scale and Firewalls</span><br>
<span style="font-size:10.0pt;color:#5F5F5F">Sent by: </span><span style="font-size:10.0pt">gpfsug-discuss-bounces@spectrumscale.org</span><o:p></o:p></p>
<div>
<div class="MsoNormal">
<hr size="2" width="100%" noshade="" style="color:#8091A5" align="left">
</div>
</div>
<p class="MsoNormal"><br>
<br>
<br>
Hi,<br>
<br>
We’re having some issues bringing up firewalls on some of our NSD nodes. The problem I was actually trying to diagnose I don’t think is firewall related but still …<br>
<br>
We have port 22 and 1191 open and also 60000-61000, we also set:<br>
# mmlsconfig tscTcpPort<br>
tscTcpPort 1191<br>
# mmlsconfig tscCmdPortRange<br>
tscCmdPortRange 60000-61000<br>
<br>
<a href="https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adv_firewallforinternalcommn.htm"><span style="color:#0563C1">https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adv_firewallforinternalcommn.htm</span></a><br>
Claims this is sufficient …<br>
<br>
Running mmnetverify:<br>
# mmnetverify all --target-nodes rds-er-mgr01<br>
<br>
rds-pg-mgr01 checking local configuration.<br>
Operation interface: Success.<br>
<br>
rds-pg-mgr01 checking communication with node rds-er-mgr01.<br>
Operation resolution: Success.<br>
Operation ping: Success.<br>
Operation shell: Success.<br>
Operation copy: Success.<br>
Operation time: Success.<br>
Operation daemon-port: Success.<br>
Operation sdrserv-port: Success.<br>
Operation tsccmd-port: Success.<br>
Operation data-small: Success.<br>
Operation data-medium: Success.<br>
Operation data-large: Success.<br>
Could not connect to port 46326 on node rds-pg-mgr01 (10.20.0.56): timed out.<br>
This may indicate a firewall configuration issue.<br>
Operation bandwidth-node: Fail.<br>
<br>
rds-pg-mgr01 checking cluster communications.<br>
<br>
Issues Found:<br>
rds-er-mgr01 could not connect to rds-pg-mgr01 (TCP, port 46326).<br>
<br>
mmnetverify: Command failed. Examine previous error messages to determine cause.<br>
<br>
<br>
Note that the port number mentioned changes if we run mmnetverify multiple times. The two clients in this test are running 5.0.2 code. If I run in verbose mode I see:<br>
<snip><br>
Checking network communication with node rds-er-mgr01.<br>
Port range restricted by cluster configuration: 60000 - 61000.<br>
rds-er-mgr01: connecting to node rds-pg-mgr01.<br>
rds-er-mgr01: exchanged 256.0M bytes with rds-pg-mgr01.<br>
Write size: 16.0M bytes.<br>
Network statistics for rds-er-mgr01 during data exchange:<br>
packets sent: 68112<br>
packets received: 72452<br>
Network Traffic between rds-er-mgr01 and rds-pg-mgr01 port 60000 ok.<br>
Operation data-large: Success.<br>
Checking network bandwidth.<br>
rds-er-mgr01: connecting to node rds-pg-mgr01.<br>
Could not connect to port 36277 on node rds-pg-mgr01 (10.20.0.56): timed out.<br>
This may indicate a firewall configuration issue.<br>
Operation bandwidth-node: Fail.<br>
<snip><br>
<br>
So for many of the tests it looks like its using port 60000 as expected, is this just a bug in mmnetverify or am I doing something silly?<br>
<br>
Thanks<br>
<br>
Simon<tt><span style="font-size:10.0pt">_______________________________________________</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<tt>gpfsug-discuss mailing list</tt><br>
<tt>gpfsug-discuss at spectrumscale.org</tt><br>
<tt><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></tt><br>
</span><br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
</div>
</body>
</html>