HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

A server can only be discoverable by SIM when firewall is disabled

 
w2k3s
Frequent Advisor

A server can only be discoverable by SIM when firewall is disabled

I'm probably getting ready to pull my hair out. 

I have a new server that i'm tryin gto add to my SIM server. I usually use Discover, and after enabling all the exception for TCP port 22, 80, 443, 161, 280, 2301, 5988, 5989, 2381, i can usually add a server just fine.

 

However, on this particular server i'm trying to add, it is NOT possible. the only way i can make this server discoverable in my HP SIM is by disabling its firewall. if i enable the firewall after the discovery process, SIM will complain it cannot reach the server i just added. I'm using port 80 for ping. with incoming port 80 opened, pinging still fails. the only way i can make ping to work is to disable the firewall. 

 

I even tried allowing incoming traffic to ALL PORT, but it;s still not working. the only way for the communication to work is to disable the firewall. I even tried removing and reinstalling SIM agents and SMH. nothing works. Restarting the server doesn't help either.

 

i tried logging the firewall for dropped packet to see if i'm missing some port that should be opened. the firewall log does not report any blocked traffic from my sim server. i'm going NUTS!!

 

any idea anyone? the server i'm trying to add to my sim is runnin 2008R2(same as my sim server)

12 REPLIES
jim goodman
Trusted Contributor

Re: A server can only be discoverable by SIM when firewall is disabled

If you are wanting to ping over port 80 double check your global protocol settings to make sure TCP Ping is selected. The default is ICMP Ping - if that is what you are using can you ping from a cmd prompt on the CMS to the target with the Firewall on with your current settings?

w2k3s
Frequent Advisor

Re: A server can only be discoverable by SIM when firewall is disabled

That's what i have. Our router disabled icmp ping across subnet, so i was forced to use ping using tcp over port 80. i checked on my SIM server, and it's still set to use that. What else am i missing? it's been a while since i have to deal with sim. 

w2k3s
Frequent Advisor

Re: A server can only be discoverable by SIM when firewall is disabled

this is so weird.

 

If i DISABLE just the firewall for PUBLIC profile, then discovery and ping will start working again.

 

This server is connected to the domain network, and it's not even using public profile. The only available internet connection is listed as DOMAIN NETWORK in Network and sharing center.

 

 

 

 

jim goodman
Trusted Contributor

Re: A server can only be discoverable by SIM when firewall is disabled

I was wondering if it was profile related - that is odd that if you disable for Public that it would work if the Network isn't listed as Public. I can't access my lab right now, but you certainly peaked my curiosity as whether or not there is another profile hook somewhere in the OS.

w2k3s
Frequent Advisor

Re: A server can only be discoverable by SIM when firewall is disabled

if you need any logs or whatever, i'd be happy to share. this is driving me nuts! all my other servers aren't behaving like this. but two of the new ones i just setup have this problem. 

 

jim goodman
Trusted Contributor

Re: A server can only be discoverable by SIM when firewall is disabled

I thought you isolated it to a firewall profile?

 

Any policies added to the servers once they join the domain? Is there something defined in the container these 2 reside in?

 

The problem appears not to be the CMS or SIM since it is working with everything else - these 2 servers have something in common from a Windows perspective. If turning off the firewall works, and turning the fw back on while making TCP80 an exception isn't punching a hole then something else is blocking. The profile makes sense since the Firewall can be configured according to profile or some attribute to an application exclusion. These can also be enforced by GPO, you might look into the OU these servers reside in and perhaps move them to one with no policies for testing. I have heard, but haven't seen it where the GPO can over ride the visible settings of Windows FW Console. I am not a Windows Security Expert so I can't really drill down into troubleshooting the OS Security.

 

Run a netstat from the problem server and see if TCP80 is going in and out.

 

You can use a freebie like TCPing to run a continual TCP Ping against the server while you are trying different things with the server to correct it. It has a small footprint so make sure you try it from your CMS to the node and also from the node to CMS.

 

Another thing, can you browse to the SMH from the CMS or is that blocked also? https://servername:2381

 

You might also try these from your desktop to the server, making sure it isn't a problem with the source server being blocked.

 

jim goodman
Trusted Contributor

Re: A server can only be discoverable by SIM when firewall is disabled

I also meant to ask were these servers built with an image or from a raw OS dvd?

jim goodman
Trusted Contributor

Re: A server can only be discoverable by SIM when firewall is disabled

Also take a look at this

 

http://technet.microsoft.com/en-us/library/cc755158(WS.10).aspx

 

This may trigger some ideas for other paths to look at.

 

I did a quick google of: troubleshooting 2008 r2 Windows firewall a lot more information there.

w2k3s
Frequent Advisor

Re: A server can only be discoverable by SIM when firewall is disabled

the server is built from CD. i tried resetting firewall configuration.... no luck.

 

i tried network monitoring to see what port the server is blocking........ this is even weirder.

 

with the public profile being off......... i see port 80-TCP used in PING from SIM. and Sim reported successful PING.

 

with public profile turned on..... i still see port 80-tcp being used, but SIM reported unsuccessful ping.

 

 

Bart_Heungens
Honored Contributor

Re: A server can only be discoverable by SIM when firewall is disabled

Why do you put the network connectio, on Public? Public network is known as being completely closed up...

 

Normally your connection should be Work or Domain network, and then it should be working fine... It is in my case...

 

 

Kr,

Bart

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
w2k3s
Frequent Advisor

Re: A server can only be discoverable by SIM when firewall is disabled

no, i did not put the network connection on public. the network connection is on DOMAIN, but SIM discovery or ping won't work unless i turn off the public firewall profile. that's what confuses me. the network is clearly using domain profile. 

jim goodman
Trusted Contributor

Re: A server can only be discoverable by SIM when firewall is disabled

ok w2k3 - after a bunch of digging and going cross-eyed in google and at microsofts kb, it appears there are complaints similar to yours regarding the Windows Firewall and  Domain interface profile not being recognized when software is installed, I found a couple of instances where it turned out to be caused by a problem with the profile for one of the interfaces and another a problem with the standby nic. A good place to start.

 

Curious - are you teaming your NICs?  If so how are they teamed and could verify that both interfaces reflect the proper profile? I don't know if you have to break the team to do that.

 

If you see that everything is fine in your team and on all of your interfaces then I suppose you are going to have to chase it down with Microsoft - suffice to say I came up with enough information to accept the interface profiles in WinFW is a less than perfect security functionality and hopefully Microsoft addresses it.

 

You never did tell me if you explored you GPO for the Firewall Settings as that is another place. Anyway, I have gone about as far as I can go with it since it doesn't appear to be an HP product problem. I'd hit the technet forums and see what you come up with there.