Re: Package IP concerns (289 Views)
Reply
Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 1 of 6 (339 Views)

Package IP concerns

We have 3 node cluster in our setup.

 ux 11i v2

A.11.19.00 serviceguard

 

We are facing issue when we are trying to open IP at application level ( firewall level )

Cases where our hosts are servers comunication is fine with package IP.

But cases where we are clients all applications are not able to communicate via package  IP .

It becomes necessary for network,firewall  team to open  physical IP.

 

 

How can we acheive , only opening of package IP's , and no physical IP to be mentioned in firewall. ?

Honored Contributor
Laurent Menase
Posts: 1,079
Registered: ‎11-06-2003
Message 2 of 6 (316 Views)

Re: Package IP concerns

Hi  coollllll

 

In fact there is no real way to do it except have the application binding on the address it should use.

 

On 11.31 SRP or containment may work, running the package in a container ( every applications started in the container will use container addresses)

Trusted Contributor
Emil Velez_2
Posts: 125
Registered: ‎01-15-2002
Message 3 of 6 (304 Views)

Re: Package IP concerns

looks like the package ips are not allowed as part of your firewall rules. you probably need to update your firewall with your package ip addresses.
Emil Velez
HP UNIX Certified (CSA, CSE HPUX 11i High Availability) HP Software (Openview) Certified Consultant
Certified HP Instructor, Technical Certified I and II SMB and Enterprise
Master ASE Superdome Solutins

HP Education Services

Ask me about training on Blades, Proliant, HP-UX, ServiceGuard, Polyserve, X9000, Virtual Libraries, and High Availability

internet: Emil.Velez@hp.com
Linkedin: http://www.linkedin.com/in/emilvelez

Advisor
akio_kabutogi
Posts: 19
Registered: ‎12-26-2011
Message 4 of 6 (298 Views)

Re: Package IP concerns

I suppose the issue happens as the source IP address in the packets returned from the application running in the package is always the station IP address if the application binds to INADDR_ANY by default. Thus, if the firewall does not allow packets from the station (physical) IP address to go out, external client can not communicate with the server application inside the SG package.

 

This is discussed in"Managing Serviceguard A.11.20" manual's Appendix B "Designing Highly Available Cluster Applications" under :

 

  • "Bind to a Fixed Port"
  • "Bind to Relocatable IP Addresses",
  • "Call bind() before connect()"
  • "Using a Relocatable Address as the Source Address for an Application that is Bound to INADDR_ANY"

 

sections.

 

Please refer to "Managing Serviceguard" manual for appropriate version of Service Guard you're using.

 

Hope this helps.

Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 5 of 6 (290 Views)

Re: Package IP concerns

Hi Akio ,

 

Thanks for sharing your views.

Need more clarity on "Using a Relocatable Address as the Source Address for an Application that is Bound to INADDR_ANY" point.

 

 

 

Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 6 of 6 (289 Views)

Re: Package IP concerns

Hi Emil ,

 

Initially only package ip,s were allowed.

Later on physical IP's were added.

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.