Re: NFS - firewall 1 - VPN

Espen Ekeroth · ‎06-02-2004

Some time ago our two offices is connected with a firewall 1 solution using VPN over the internet.

After we introduced this solution we do have problems with NFS hanging all the time. This was never a problem before. In addition to add the firewalls, the some network layout was changed due to routing.

Does anybody have a clue where we should start looking for the error ? We do not get any dropped packages, and there is noe errors in the systemlog except for NFS timeout errors. I have tried to debug NFS (useing the logging option) but nothing to be found.

Espen

G. Vrijhoeven · ‎06-02-2004

Hi Espen,

I would take a look at what changed:

Did you have leased lines before VPN and if so what is the latence of the VPN tunnel VS the old situation.
Encription of the connection, takes time.

Did you do a soft / hard mount over the Tunnel?

Regards,

Gideon

Mel Burslan · ‎06-02-2004

I would assume that what you are seeing is normal if your nfs server and nfs client are not on the same lan, i.e., one is connected to the other via VPN over the internet. At times, unless your VPN tunnel has a very high QOS (quality of service) guarantee, it is very normal for inetrnet to congest and during these congestions, NFS comm.s getting disrupted.

________________________________
UNIX because I majored in cryptology...

Steven E. Protter · ‎06-02-2004

Look at /etc/services

Check out the NFS ports and make sure those ports are open on the firewall.

Its a really bad idea to run nfs data through the public internet because its not encrypted. But you need to solve the issue first and then find a better more secure way to transfer the data.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

G. Vrijhoeven · ‎06-02-2004

Espen,

I menth latency (delay). My english is not perfect i am afraid.

I assume the VPN tunnel crypts all data going trough it.

Regards,

Gideon

Espen Ekeroth · ‎06-02-2004

As you sugest - the client and the server is on each side of the VPN tunnel.

Before we did this change we did have a leased line (2 Mbit). Now each of the offices has their 2 Mbit line to the internet.

About latency - normally we do see a ping time for 15-16ms, but sometimes it is much higher.

Question : does a VPN lan to lan connection drop when not in use?

Espen

Steve Lewis · ‎06-02-2004

Have you tuned the NFS mount timeouts, using mount option timeo?

Use /usr/sbin/mount -p to display the current settings.

Then try mounting the NFS filesystem with a higher than usual timeout e.g. -o timeo=20 would give a 2 second timeout.

man mount_nfs

NFS periodically wakes up and tests the connections, so I don't think that yours will be dropped.

The other thing to check is whether NFS is using tcp, or if it has dropped back to UDP.

Espen Ekeroth · ‎06-02-2004

I trided timeo=20 and 40. No difference. The server is called uws004, the client called hpws14. What we do see is like this:

(hpws14) 4/users/perht/top> cp sareg /tmp
NFS server uws004 not responding still trying
NFS server uws004 not responding still trying
NFS server uws004 not responding still trying
NFS server uws004 not responding still trying
NFS server uws004 ok
cp: bad copy to /tmp/sareg: read: Stale NFS file handle
(hpws14) 5/users/perht/top>

If we do a ls (or ll) it shows all the files in the folder, and small files is accessable but not large files.

Brian Hackley · ‎06-03-2004

Espen,

You might want to use NFS over TCP Transport if the NFS Client and Server supports it. rpcinfo -p servername |grep -i nfs should tell you about the server.
man mount_nfs on the client should tell you if -oproto=tcp is supported as a mount option.

Even if not, you will want to cut down the size of the NFS requests to the smallest chunk of the "pipe" between the client and the server. Usually we tell folks to start with mount option -orsize=1024,wsize=1024 . Don't fiddle with timeo whatever you do!

Good luck,

-> Brian Hackley

Ask me about telecommuting!

Espen Ekeroth · ‎06-03-2004

How do I set options to the automounter?

I may try thin with hard mount, but would prefer to use the automounter.

At "our" side of the VPN, we have 4 client that may use the server on the other side. It seems like one of the client is working much better than the others. As far as I know, and can see from the configuration there are no differences between the clients, and we do find this very strange.

Espen

Espen Ekeroth · ‎06-03-2004

Stupid me...found the options in /etc/auto_master.

Brian: sorry about the points - the scroll mouse tricked me.

By the way - after setting the parameters rsize and wsize it seems to work much better, but it will take a few days to check that all problems are solved.

Espen

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: NFS - firewall 1 - VPN

NFS - firewall 1 - VPN