HPE Community
Operating System - OpenVMS
1753767 Members
5245 Online
108799 Solutions
New Discussion юеВ

Re: HTTP Slow Out Of VMS Through Firewall-1

 
marsh_1
Honored Contributor

тАО06-11-2009 03:16 AM

тАО06-11-2009 03:16 AM

Re: HTTP Slow Out Of VMS Through Firewall-1

hi,

duplicate address issues will also show with ping as it will alternate between finding address / not finding address. traceroute is tracert in dos on a windows box. if nat'ing is in in place here this can also cause issues with return addresses and the routes taken, but if other protocols to/from this box are ok this is less likely.

fwiw

0 Kudos
Wim Van den Wyngaert
Honored Contributor

тАО06-11-2009 05:52 AM

тАО06-11-2009 05:52 AM

Re: HTTP Slow Out Of VMS Through Firewall-1

Duplicate addresses with 1 address behind a firewall (that doesn't let you communicate with the node in IP) will pass only ARP (in my case, may be that is a bad config). Thus the program will send a packet to a node, will not receive an ack because the firewall drops it, resend it until the right address was used.

Note : this is all 10 years ago and I could have forgotten some details.

Wim
Wim
0 Kudos
Hoff
Honored Contributor

тАО06-11-2009 06:55 AM

тАО06-11-2009 06:55 AM

Re: HTTP Slow Out Of VMS Through Firewall-1

How are we on IP addressing when we have different speeds for different protocols for the same IP addresses through the same firewall?

Or was the "Other IP protocols are fine." statement incorrect?
0 Kudos
Robert Atkinson
Respected Contributor

тАО06-11-2009 07:20 AM

тАО06-11-2009 07:20 AM

Re: HTTP Slow Out Of VMS Through Firewall-1

An update on this.

When I started using the HTTP connection first thing this morning, it was near immediate. This afternoon, it's gone back to being relatively slow (10 seconds for the page).

As I type, it's immediate again!

This leaves me with one conclusion, given that nothing is changing on the VMS hosts - Firewall-1 is struggling somewhere.

I've managed to get the PIX box online, so we have an alternative method of connection. As these servers will eventually come out from behind the firewall onto the main LAN, can't see any point in trying to hunt the problem down through Firewall-1.

I ran the netstat and SHOW PROT displays, and although I'm not an expert, I couldn't see anything obvious in them to point the finger.

I thank everyone for their input. I don't like leaving mysteries, but this one is so deep it could take months to resolve.

Thanks again, Rob.
0 Kudos
Jur van der Burg
Respected Contributor

тАО06-11-2009 11:16 PM

тАО06-11-2009 11:16 PM

Re: HTTP Slow Out Of VMS Through Firewall-1

As said before, make a network trace. That may give an answer of where the problem may be in minutes.

Jur.
0 Kudos
Richard J Maher
Trusted Contributor

тАО06-12-2009 02:22 AM

тАО06-12-2009 02:22 AM

Re: HTTP Slow Out Of VMS Through Firewall-1

Hi Rob,

Looks like your problem is solved/avoided but I, for one, had never heard of Firewall 1 or its availability on VMS so I'm off reading now.

In case it would interest you and/or others here's some information I receive a few months ago, on tha subject, that I found interesting: -

"BTW, delivery of IPSEC also provides host-based firewall capability, which is another important feature that would also be delayed if IPSEC is further delayed."

Cheers Richard Maher

PS. I'm reading this bit first :-)
http://www.checkpoint.com/products/softwareblades/ipsec-virtual-private-network.html
0 Kudos
Robert Atkinson
Respected Contributor

тАО06-12-2009 02:54 AM

тАО06-12-2009 02:54 AM

Re: HTTP Slow Out Of VMS Through Firewall-1

Richard, we run Firewall-1 on an appliance server - not VMS. Sorry to disappoint :)

Rob.
0 Kudos
Hoff
Honored Contributor

тАО06-12-2009 07:41 AM

тАО06-12-2009 07:41 AM

Re: HTTP Slow Out Of VMS Through Firewall-1

I've been connecting into OpenVMS boxes from client boxes via L2TP / IPSec and PPTP for some years now, with this connectivity is usually based on the capabilities of the external firewall.

If OpenVMS itself sprouts L2TP or PPTP tunneling or an IP firewall (yes, I know about stunnel and the IPSec EAK) with TCP/IP Services, I might revisit the configuration I typically deploy. But for now, the approach I have works nicely from a variety of client boxes. I've worked with a couple of customer folks around firewalls and tunnels and such, including authentication, up through around allowing tunneling (with NAT) into OpenVMS boxes for use with Netbeans. (The Java RMI layer underneath Netbeans doesn't "like" NAT. But I digress.) This stuff can be gotten to work, but it's not as plug-and-play as any of us might like.

There are various firewall and tunnel server offerings here (from free with the use of your existing spare x86 hardware up to seriously expensive), and the appropriate box depends on factors including network and firewall bandwidth and authentication and syslog logging and required specific features or capabilities. Some folks need tunneling or IPSec or such. Here, the firewall processing and memory and bandwidth required to sling gigantic static HTML pages through the firewall box looks to be a central requirement.

0 Kudos
Robert Atkinson
Respected Contributor

тАО06-14-2009 11:47 PM

тАО06-14-2009 11:47 PM

Re: HTTP Slow Out Of VMS Through Firewall-1

Unfortunately, this problem will remain a mystery for now (see my post above).

Thanks again for everyone's input.

Rob.
0 Kudos
Robert Atkinson
Respected Contributor

тАО07-13-2009 01:30 AM

тАО07-13-2009 01:30 AM

Re: HTTP Slow Out Of VMS Through Firewall-1

Problem was found to be with port negotiation between Firewall-1 and CISCO switch - Full v Half Duplex I think.

Rob.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.