Operating System - OpenVMS
1828584 Members
3155 Online
109982 Solutions
New Discussion

TCPIP5.4 ECO6 and failSAFE IP

 
Zahid Ghani
Frequent Advisor

TCPIP5.4 ECO6 and failSAFE IP

I have recently installed ECO 6 to our TCPIP 5.4 VMS7.3-2 4-node cluster with failSAFE IP. Since then we have, intermittently, started getting connection problems with FTP. We think the problem is that our firewall needed all IP addresses used by our nodes.This was not a problem before eco6. Since the changes to firewall the connectivity has improved but there are still some sites that we are having problems with - but that could be due to those sites not having updated their firewalls.
Has anyone else come across this? There is nothing in ECO 6 release notes.
2 REPLIES 2
Hoff
Honored Contributor

Re: TCPIP5.4 ECO6 and failSAFE IP

Back out ECO6 and see if the behavior changes?

I'd almost assume this isn't ECO6, but stranger things have happened.

Backing the ECO out would confirm or deny the theory that some change(s) within ECO6 were involved here.

I would certainly assume that a firewall would have to know which host addresses and ports would receive an incoming FTP connection -- hopefully in a DMZ. FTP itself is particularly ugly at the firewall, which is where the passive transfer mechanism arose. Most folks now use or are migrating to ftps or sftp, or a VPN-based link.

The first of many hits on a Google search for:

ftp firewall passive

are all around getting this stuff to work, and around security discussions. You're not alone here, by any stretch.

Start here:
http://slacksite.com/other/ftp.html
http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html

IP network and routing problems seldom fit within the confines of the ITRC forums 46x16 text input box. Various organizations around -- full disclosure: Hoffmanlabs is one -- can assist with these situations and with OpenVMS and TCP/IP Services networking.

Stephen Hoffman
HoffmanLabs
Colin Butcher
Esteemed Contributor

Re: TCPIP5.4 ECO6 and failSAFE IP

Hell Zahid,

First - prove that ECO06 didn't cause the problem. Fire up a spare Alpha with the previous configuration if you can. That way you won't affect a production environment.

Second, if you still have trouble then use the spare Alpha to diagnose what's happening if you can. You may need to hang a network analyser off the switch to see what's really going on. Depending on how "failsafe IP" is working in terms of flipping the IP address between physical interfaces you might also need to check how the switch (or switches) are configured.

Lots of "fun".

Cheers, Colin (www.xdelta.co.uk).
Entia non sunt multiplicanda praeter necessitatem (Occam's razor).