HPE Community
Operating System - HP-UX
1819953 Members
3548 Online
109607 Solutions
New Discussion юеВ

Ephemeral ports

 
Mark Perschbacher_1
Occasional Advisor

тАО10-24-2005 10:00 AM

тАО10-24-2005 10:00 AM

Ephemeral ports

I have been trying to determine why an HP rp5470 server running HP UNIX 11.0 would use ephemeral ports when setting up a TCP socket connection with a Win2003 server, and not with a Win2000 server. Both of the Win servers are on a separate network from the rp5470, and acting as clients. The firewall the rp5470 sits behind is blocking the messages to the w2003 server as a result.
0 Kudos
Reply
10 REPLIES 10
Jeff Schussele
Honored Contributor

тАО10-24-2005 10:13 AM

тАО10-24-2005 10:13 AM

Re: Ephemeral ports

Define ephemeral?
I'm confused - but when Wintel's in play, I'm not surprised.
Are you talking about "high" ports?
Well....that's a negotiation - takes 2 to tangle....
Think MS is at fault first....
And if a FW is in there, well again - check it's rules.

My 2 cents,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Mark Perschbacher_1
Occasional Advisor

тАО10-24-2005 10:41 AM

тАО10-24-2005 10:41 AM

Re: Ephemeral ports

What we are seeing is that the rp5470 typically has three entries in netstat -n for the Win2003 server. One in the SYN ACK state, one is WAITING, and another in ESTABLISHED, for example. Each entry has a local port number incrementing up. For the Win2000 server, there is just a single entry in netstat -n in the ESTABLISHED state. I know nothing about HP UNIX, and am just trying to figure out why the rp5470 would be reacting differently.
0 Kudos
Reply
Jeff Schussele
Honored Contributor

тАО10-24-2005 11:00 AM

тАО10-24-2005 11:00 AM

Re: Ephemeral ports

Hi (again) Mark,

All you need to focus on is "Established".
Anything else is a failed connection or a "broken" one.
FIN-WAIT2 is a classice example of net problems or some knucklrhead that "X"'d out of session instead of properly exiting.
Remember that Wintel folks don't care about "rules".
Hit & runners, I call 'em.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Mark Perschbacher_1
Occasional Advisor

тАО10-25-2005 03:20 AM

тАО10-25-2005 03:20 AM

Re: Ephemeral ports

I have spent alot of time researching the build and tear down process for TCP sockets, so I have a good understanding of what it going on, its the why part I am trying to determine. The vendor claims that the settings are identical for the interface that does not change ports. Using the nettune command, could the server be forced to only use a single, or small range of local ports?
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО10-25-2005 03:25 AM

тАО10-25-2005 03:25 AM

Re: Ephemeral ports

Hi Mark:

You can use 'ndd' to change the ephemeral range by tuning 'tcp_smallest_anon_port' and 'tcp_largest_anon_port. By default, this range is 49152-65535.

See the manpages for 'ndd'.

For example:

# ndd -set /dev/tcp tcp_smallest_anon_port 50000

# ndd -set /dev/tcp tcp_largest_anon_port 55000

Regards!

...JRF...

0 Kudos
Reply
Ralph Grothe
Honored Contributor

тАО10-25-2005 03:30 AM

тАО10-25-2005 03:30 AM

Re: Ephemeral ports

I think for the tcp/ip stack on 11i you can at least set the upper bound for anonymous ports.

Don't know if this is of any help to your problem?


# ndd -h tcp_largest_anon_port

tcp_largest_anon_port:

Largest anonymous port number to use. [1024, 65535]
Default: 65535

Madness, thy name is system administration
0 Kudos
Reply
Ralph Grothe
Honored Contributor

тАО10-25-2005 03:34 AM

тАО10-25-2005 03:34 AM

Re: Ephemeral ports

Hm, your milage may vary.
But on my 11i system the smallest anon ports are listed as unsupported params.

# ndd -h unsupported|grep smallest
tcp_smallest_anon_port - Smallest anonymous port number to use
tcp_smallest_nonpriv_port - Smallest port number non-privileged processes
udp_smallest_anon_port - Smallest anonymous port number to use
udp_smallest_nonpriv_port - Smallest port number non-privileged processes
Madness, thy name is system administration
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО10-25-2005 03:50 AM

тАО10-25-2005 03:50 AM

Re: Ephemeral ports

Hi (again) Mark:

The Knowledge Base (#UTRANKBRC00009720) notes that tuning the anonymous port range is permitted but must be done before any networking services are started (obviously!). This means before '/sbin/rc2.d/S100swagentd' is started.

If this is your intention, have a look at the aforementioned document for more details.

Regards!

...JRF...

0 Kudos
Reply
Mark Perschbacher_1
Occasional Advisor

тАО10-25-2005 06:24 AM

тАО10-25-2005 06:24 AM

Re: Ephemeral ports

I will turn all this useful information over to the vendor that supports the rp5470, thanks a lot for all your input. I have just started posting questions on these forums, and have had really good responses.
0 Kudos
Reply
rick jones
Honored Contributor

тАО10-26-2005 04:35 AM

тАО10-26-2005 04:35 AM

Re: Ephemeral ports

For an application to use a port that is not in the ephemeral (anonymous) port range, it must make an explicit bind() call to bind to that port number. One can use tusc to trace the system calls being made by said application and see those bind() calls.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.