HPE Community
Server Management - Systems Insight Manager
1752542 Members
5223 Online
108788 Solutions
New Discussion

Re: A server can only be discoverable by SIM when firewall is disabled

 
w2k3s
Frequent Advisor

‎08-16-2011 12:46 PM

‎08-16-2011 12:46 PM

A server can only be discoverable by SIM when firewall is disabled

I'm probably getting ready to pull my hair out. 

I have a new server that i'm tryin gto add to my SIM server. I usually use Discover, and after enabling all the exception for TCP port 22, 80, 443, 161, 280, 2301, 5988, 5989, 2381, i can usually add a server just fine.

 

However, on this particular server i'm trying to add, it is NOT possible. the only way i can make this server discoverable in my HP SIM is by disabling its firewall. if i enable the firewall after the discovery process, SIM will complain it cannot reach the server i just added. I'm using port 80 for ping. with incoming port 80 opened, pinging still fails. the only way i can make ping to work is to disable the firewall. 

 

I even tried allowing incoming traffic to ALL PORT, but it;s still not working. the only way for the communication to work is to disable the firewall. I even tried removing and reinstalling SIM agents and SMH. nothing works. Restarting the server doesn't help either.

 

i tried logging the firewall for dropped packet to see if i'm missing some port that should be opened. the firewall log does not report any blocked traffic from my sim server. i'm going NUTS!!

 

any idea anyone? the server i'm trying to add to my sim is runnin 2008R2(same as my sim server)

0 Kudos
Reply
12 REPLIES 12
jim goodman
Trusted Contributor

‎08-16-2011 01:09 PM

‎08-16-2011 01:09 PM

Re: A server can only be discoverable by SIM when firewall is disabled

If you are wanting to ping over port 80 double check your global protocol settings to make sure TCP Ping is selected. The default is ICMP Ping - if that is what you are using can you ping from a cmd prompt on the CMS to the target with the Firewall on with your current settings?

0 Kudos
Reply
w2k3s
Frequent Advisor

‎08-16-2011 02:19 PM

‎08-16-2011 02:19 PM

Re: A server can only be discoverable by SIM when firewall is disabled

That's what i have. Our router disabled icmp ping across subnet, so i was forced to use ping using tcp over port 80. i checked on my SIM server, and it's still set to use that. What else am i missing? it's been a while since i have to deal with sim. 

0 Kudos
Reply
w2k3s
Frequent Advisor

‎08-16-2011 02:51 PM

‎08-16-2011 02:51 PM

Re: A server can only be discoverable by SIM when firewall is disabled

this is so weird.

 

If i DISABLE just the firewall for PUBLIC profile, then discovery and ping will start working again.

 

This server is connected to the domain network, and it's not even using public profile. The only available internet connection is listed as DOMAIN NETWORK in Network and sharing center.

 

 

 

 

0 Kudos
Reply
jim goodman
Trusted Contributor

‎08-16-2011 03:02 PM

‎08-16-2011 03:02 PM

Re: A server can only be discoverable by SIM when firewall is disabled

I was wondering if it was profile related - that is odd that if you disable for Public that it would work if the Network isn't listed as Public. I can't access my lab right now, but you certainly peaked my curiosity as whether or not there is another profile hook somewhere in the OS.

0 Kudos
Reply
w2k3s
Frequent Advisor

‎08-17-2011 05:48 AM

‎08-17-2011 05:48 AM

Re: A server can only be discoverable by SIM when firewall is disabled

if you need any logs or whatever, i'd be happy to share. this is driving me nuts! all my other servers aren't behaving like this. but two of the new ones i just setup have this problem. 

 

0 Kudos
Reply
jim goodman
Trusted Contributor

‎08-17-2011 06:20 AM

‎08-17-2011 06:20 AM

Re: A server can only be discoverable by SIM when firewall is disabled

I thought you isolated it to a firewall profile?

 

Any policies added to the servers once they join the domain? Is there something defined in the container these 2 reside in?

 

The problem appears not to be the CMS or SIM since it is working with everything else - these 2 servers have something in common from a Windows perspective. If turning off the firewall works, and turning the fw back on while making TCP80 an exception isn't punching a hole then something else is blocking. The profile makes sense since the Firewall can be configured according to profile or some attribute to an application exclusion. These can also be enforced by GPO, you might look into the OU these servers reside in and perhaps move them to one with no policies for testing. I have heard, but haven't seen it where the GPO can over ride the visible settings of Windows FW Console. I am not a Windows Security Expert so I can't really drill down into troubleshooting the OS Security.

 

Run a netstat from the problem server and see if TCP80 is going in and out.

 

You can use a freebie like TCPing to run a continual TCP Ping against the server while you are trying different things with the server to correct it. It has a small footprint so make sure you try it from your CMS to the node and also from the node to CMS.

 

Another thing, can you browse to the SMH from the CMS or is that blocked also? https://servername:2381

 

You might also try these from your desktop to the server, making sure it isn't a problem with the source server being blocked.

 

0 Kudos
Reply
jim goodman
Trusted Contributor

‎08-17-2011 06:24 AM

‎08-17-2011 06:24 AM

Re: A server can only be discoverable by SIM when firewall is disabled

I also meant to ask were these servers built with an image or from a raw OS dvd?

0 Kudos
Reply
jim goodman
Trusted Contributor

‎08-17-2011 06:36 AM

‎08-17-2011 06:36 AM

Re: A server can only be discoverable by SIM when firewall is disabled

Also take a look at this

 

http://technet.microsoft.com/en-us/library/cc755158(WS.10).aspx

 

This may trigger some ideas for other paths to look at.

 

I did a quick google of: troubleshooting 2008 r2 Windows firewall a lot more information there.

0 Kudos
Reply
w2k3s
Frequent Advisor

‎08-18-2011 09:50 AM

‎08-18-2011 09:50 AM

Re: A server can only be discoverable by SIM when firewall is disabled

the server is built from CD. i tried resetting firewall configuration.... no luck.

 

i tried network monitoring to see what port the server is blocking........ this is even weirder.

 

with the public profile being off......... i see port 80-TCP used in PING from SIM. and Sim reported successful PING.

 

with public profile turned on..... i still see port 80-tcp being used, but SIM reported unsuccessful ping.

 

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.