I have recently installed ECO 6 to our TCPIP 5.4 VMS7.3-2 4-node cluster with failSAFE IP. Since then we have, intermittently, started getting connection problems with FTP. We think the problem is that our firewall needed all IP addresses used by our nodes.This was not a problem before eco6. Since the changes to firewall the connectivity has improved but there are still some sites that we are having problems with - but that could be due to those sites not having updated their firewalls. Has anyone else come across this? There is nothing in ECO 6 release notes.
I'd almost assume this isn't ECO6, but stranger things have happened.
Backing the ECO out would confirm or deny the theory that some change(s) within ECO6 were involved here.
I would certainly assume that a firewall would have to know which host addresses and ports would receive an incoming FTP connection -- hopefully in a DMZ. FTP itself is particularly ugly at the firewall, which is where the passive transfer mechanism arose. Most folks now use or are migrating to ftps or sftp, or a VPN-based link.
The first of many hits on a Google search for:
ftp firewall passive
are all around getting this stuff to work, and around security discussions. You're not alone here, by any stretch.
IP network and routing problems seldom fit within the confines of the ITRC forums 46x16 text input box. Various organizations around -- full disclosure: Hoffmanlabs is one -- can assist with these situations and with OpenVMS and TCP/IP Services networking.
First - prove that ECO06 didn't cause the problem. Fire up a spare Alpha with the previous configuration if you can. That way you won't affect a production environment.
Second, if you still have trouble then use the spare Alpha to diagnose what's happening if you can. You may need to hang a network analyser off the switch to see what's really going on. Depending on how "failsafe IP" is working in terms of flipping the IP address between physical interfaces you might also need to check how the switch (or switches) are configured.
