05-30-2013 03:01 AM
We have 3 node cluster in our setup.
ux 11i v2
We are facing issue when we are trying to open IP at application level ( firewall level )
Cases where our hosts are servers comunication is fine with package IP.
But cases where we are clients all applications are not able to communicate via package IP .
It becomes necessary for network,firewall team to open physical IP.
How can we acheive , only opening of package IP's , and no physical IP to be mentioned in firewall. ?
05-31-2013 08:25 AM
In fact there is no real way to do it except have the application binding on the address it should use.
On 11.31 SRP or containment may work, running the package in a container ( every applications started in the container will use container addresses)
06-04-2013 10:42 AM
HP UNIX Certified (CSA, CSE HPUX 11i High Availability
Certified HP Instructor, ATP ans ASE Server Solutions
Master ASE Superdome Solutins
HP Education Services
Ask me about training on Blades, Proliant, HP-UX, ServiceGuard, StoreAll, StoreOnce, StoreServ, StoreEasy and High Availability
06-04-2013 06:53 PM
I suppose the issue happens as the source IP address in the packets returned from the application running in the package is always the station IP address if the application binds to INADDR_ANY by default. Thus, if the firewall does not allow packets from the station (physical) IP address to go out, external client can not communicate with the server application inside the SG package.
This is discussed in"Managing Serviceguard A.11.20" manual's Appendix B "Designing Highly Available Cluster Applications" under :
- "Bind to a Fixed Port"
- "Bind to Relocatable IP Addresses",
- "Call bind() before connect()"
- "Using a Relocatable Address as the Source Address for an Application that is Bound to INADDR_ANY"
Please refer to "Managing Serviceguard" manual for appropriate version of Service Guard you're using.
Hope this helps.