- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Remote Server Management
- >
- iLO2 and ISA firewall
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-14-2009 02:20 AM
тАО12-14-2009 02:20 AM
iLO2 and ISA firewall
I have a number of servers that untilise iLO2. I can ping the iLO addresses and access the web interfaces and all associated functions as normal. I am currently in the process of setting up a perimeter network which only certain servers and our ISA firewall array will be part of. At this time, there is nothing present on this perimeter network other than a single switch. This is where my problem starts:
I have servers named 'X' 'Y' and 'Z', which I can access iLO2 features on from behind our firewall. In order to make them part of the perimeter network, I change the IP address and default gateway in iLO2. If I plug a laptop into the iLO2 port of any of the servers with a crossover cable, and set the laptop to the same subnet as the new iLo2 settings, I can ping the new iLO2 address and access all iLO2 features. This is the only way that I can ping or access the iLO2 once I have changed the IP settings. All settings in both iLO2 and in the relevant ISA firewall rules are correct.
I even temporarily set up a seperate router (bypassing ISA) connecting into the server to see if I can ping the iLo2 address from a completely different subnet, and I can, so it means that the issue lies within ISA - for some reason, it doesn't seem to like iLO2.
Apologies for the long post, but this is a very strange problem that I have never before come across, and I have spent a great deal of time searching the internet but have been unable to find any reports of the same issues. Is anyone aware of issues between iLO2 and ISA 2004?
Kind regards,
Gary
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-14-2009 07:31 AM
тАО12-14-2009 07:31 AM
Re: iLO2 and ISA firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-04-2010 08:59 PM
тАО01-04-2010 08:59 PM
Re: iLO2 and ISA firewall
When you switch the IP addresses to make X, Y, and Z part of the perimeter network, are you also moving the iLO network cables to the switch on the perimeter network?? Your description makes it sound like your just changing the addresses and not moving the cables.
Are you sure you have all the correct ports open in ISA? iLO2 uses the follwoing ports
PORTS:
Port Description
22 Secure Shell (SSH)
23 Remote Console / telnet
80 Web Server Non-SSL (HTTP)
443 Web Server SSL (HTTPS)
3389 Terminal Services
17988 Virtual Media
9300 Shared Remote Console
17990 Console Replay
3002 Raw Serial Data
The only problem I've had with openeing these ports in a firewall is the the "Integrated Remote Console" function uses a random port once the connection is made, so it doesn't work. The Java based Remote Console works OK.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2010 01:21 AM
тАО01-05-2010 01:21 AM
Re: iLO2 and ISA firewall
Thanks for your reply.
Sorry for the confusion, yes, the cables were moved and patched into the appropriate switch.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2010 01:26 AM
тАО01-05-2010 01:26 AM
Re: iLO2 and ISA firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2010 01:33 AM
тАО01-05-2010 01:33 AM
Re: iLO2 and ISA firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2010 01:40 AM
тАО01-05-2010 01:40 AM
Re: iLO2 and ISA firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2010 05:01 AM
тАО01-05-2010 05:01 AM
Re: iLO2 and ISA firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-07-2010 01:39 AM
тАО01-07-2010 01:39 AM
Re: iLO2 and ISA firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-05-2010 07:16 AM
тАО03-05-2010 07:16 AM
Re: iLO2 and ISA firewall
We have actually managed to resolve ISA's inability to create an ARP table entry for iLO by spoofing the ARP response from iLO on the network switch.
However, we still cannot acheive communication from iLO through ISA.
We are using a simple PING communication to test. Now that ISA has an ARP entry for iLO, we see it pass the ICMP (PING) packet towards iLO & we also see iLO respond (via the packet capture). As you would expect, the source MAC of the ICMP request passed from ISA is matched by the destination MAC of the reply from iLO. The related IP addresses are also what we would expect to see. This is the dedicated MAC address of the ISA node within the NLB array.
Although we see iLO respond to the ICMP request back towards ISA (via a packet capture on the switch that connects iLO to ISA), ISA monitoring does not report that it ever sees this frame / packet.
Just to reiterate, that we have proven the ISA firewall rule as everything else that is connected to this switch (everything connected to the switch is on the same IP subnet), works perfectly OK.
We are now wondering if rather than this being a firewall problem, it is actually an issue between iLO & NLB.
Does anyone have experience of similar problems?