1836987
Members
1989
Online
110111
Solutions
SOLVED
Hi Manoj,
I would be curious what a network trace of the failing mount looks like when collected on the NFS server. My guess is what you'd see is the mount request comes into the server using the *package* IP address but then is replied to with the *physical* IP address. Some firewalls don't like that or allow it. Perhaps there is a setting on your firewall to permit such traffic...
Some of this behavior (i.e. deciding which IP address to use in outbound packets) is controllable with the ip_strong_es_model tunable:
# ndd -h ip_strong_es_model
ip_strong_es_model:
Controls the requirement issues related to multihoming as
described in RFC1122, Section 3.3.4.2:
(A) A host MAY silently discard an incoming datagram whose
destination address does not correspond to the physical
interface through which it is received.
(B) A host MAY restrict itself to sending (non-source-
routed) IP datagrams only through the physical
interface that corresponds to the IP source address of
the datagrams.
When set to 0, it corresonds to the "Weak ES Model" and would
therefore substitute MUST NOT for MAY in issues (A) and (B).
When set to 1, it corresonds to the "Strong ES Model" and would
therefore substitute MUST for MAY in issues (A) and (B).
When set to 2, substitute MUST NOT for MAY in issue (A) and SHOULD
for MAY in issue (B).
[0,2] Default: 0
If you use ndd to set this value to 2 you *might* get the behavior you're looking for (or rather, your firewall is looking for). This doesn't work in all cases because currently ip_strong_es_model only works for TCP traffic and some of the traffic used for the initial mounting of an NFS filesystem on 11i v2 still uses UDP.
My bet is you would not have this problem if you were using 11i v3. I've seen problems like this in the past and in every case I've tried 11i v3 doesn't experience the problem.
In any case, I'd be curious what a network trace on the server looks like and whether using ip_strong_es_model=2 has any effect.
Regards,
Dave
P.S. I'd definitely recommend fixing the port numbers of lockd/statd/mountd and configuring only those ports in the firewall. Sure beats opening up thousands of ports.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
I would be curious what a network trace of the failing mount looks like when collected on the NFS server. My guess is what you'd see is the mount request comes into the server using the *package* IP address but then is replied to with the *physical* IP address. Some firewalls don't like that or allow it. Perhaps there is a setting on your firewall to permit such traffic...
Some of this behavior (i.e. deciding which IP address to use in outbound packets) is controllable with the ip_strong_es_model tunable:
# ndd -h ip_strong_es_model
ip_strong_es_model:
Controls the requirement issues related to multihoming as
described in RFC1122, Section 3.3.4.2:
(A) A host MAY silently discard an incoming datagram whose
destination address does not correspond to the physical
interface through which it is received.
(B) A host MAY restrict itself to sending (non-source-
routed) IP datagrams only through the physical
interface that corresponds to the IP source address of
the datagrams.
When set to 0, it corresonds to the "Weak ES Model" and would
therefore substitute MUST NOT for MAY in issues (A) and (B).
When set to 1, it corresonds to the "Strong ES Model" and would
therefore substitute MUST for MAY in issues (A) and (B).
When set to 2, substitute MUST NOT for MAY in issue (A) and SHOULD
for MAY in issue (B).
[0,2] Default: 0
If you use ndd to set this value to 2 you *might* get the behavior you're looking for (or rather, your firewall is looking for). This doesn't work in all cases because currently ip_strong_es_model only works for TCP traffic and some of the traffic used for the initial mounting of an NFS filesystem on 11i v2 still uses UDP.
My bet is you would not have this problem if you were using 11i v3. I've seen problems like this in the past and in every case I've tried 11i v3 doesn't experience the problem.
In any case, I'd be curious what a network trace on the server looks like and whether using ip_strong_es_model=2 has any effect.
Regards,
Dave
P.S. I'd definitely recommend fixing the port numbers of lockd/statd/mountd and configuring only those ports in the firewall. Sure beats opening up thousands of ports.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]