cancel
Showing results for 
Search instead for 
Did you mean: 

Package IP concerns

coollllllllllll
Regular Advisor

Package IP concerns

We have 3 node cluster in our setup.

 ux 11i v2

A.11.19.00 serviceguard

 

We are facing issue when we are trying to open IP at application level ( firewall level )

Cases where our hosts are servers comunication is fine with package IP.

But cases where we are clients all applications are not able to communicate via package  IP .

It becomes necessary for network,firewall  team to open  physical IP.

 

 

How can we acheive , only opening of package IP's , and no physical IP to be mentioned in firewall. ?

5 REPLIES
Laurent Menase
Honored Contributor

Re: Package IP concerns

Hi  coollllll

 

In fact there is no real way to do it except have the application binding on the address it should use.

 

On 11.31 SRP or containment may work, running the package in a container ( every applications started in the container will use container addresses)

Emil Velez_2
Trusted Contributor

Re: Package IP concerns

looks like the package ips are not allowed as part of your firewall rules. you probably need to update your firewall with your package ip addresses.
Emil Velez
Instructor Storage, Servers, HP-UX and Partner Courses
Hewlett Packard Enterprise Education Services
Ask me about training on StoreServ (3PAR) StoreOnce, StoreEasy, StoreAll, StoreVirtual, HP-UX, ServiceGuard and HPE Partner Ready Certification Training

internet: Emil.Velez@hpe.com
Linkedin: http://www.linkedin.com/in/emilvelez

HPE Master ASE Server Solutions Architect V3
HPE Master ASE Storage Solutions Architect V2
HP UNIX Certified (ASE HPUX 11iv3 Administration V1)
Certified HPE Instructor
HPE Product Certified - OneView [2016]
HP Sales Certified -Servers, Converged Systems and Services [2015]
HPE Product Certified - Converged Solutions [2017]

Re: Package IP concerns

I suppose the issue happens as the source IP address in the packets returned from the application running in the package is always the station IP address if the application binds to INADDR_ANY by default. Thus, if the firewall does not allow packets from the station (physical) IP address to go out, external client can not communicate with the server application inside the SG package.

 

This is discussed in"Managing Serviceguard A.11.20" manual's Appendix B "Designing Highly Available Cluster Applications" under :

 

  • "Bind to a Fixed Port"
  • "Bind to Relocatable IP Addresses",
  • "Call bind() before connect()"
  • "Using a Relocatable Address as the Source Address for an Application that is Bound to INADDR_ANY"

 

sections.

 

Please refer to "Managing Serviceguard" manual for appropriate version of Service Guard you're using.

 

Hope this helps.

Highlighted
coollllllllllll
Regular Advisor

Re: Package IP concerns

Hi Akio ,

 

Thanks for sharing your views.

Need more clarity on "Using a Relocatable Address as the Source Address for an Application that is Bound to INADDR_ANY" point.

 

 

 

coollllllllllll
Regular Advisor

Re: Package IP concerns

Hi Emil ,

 

Initially only package ip,s were allowed.

Later on physical IP's were added.