HPE Community
Operating System - HP-UX
1833752 Members
2539 Online
110063 Solutions
New Discussion

Question about source ip addresses when using a floating ip for SG Exp. lan0:1,etc

 
SOLVED
Go to solution
likid0
Honored Contributor

‎02-20-2012 04:40 AM

‎02-20-2012 04:40 AM

Question about source ip addresses when using a floating ip for SG Exp. lan0:1,etc

Hi,

 

I have a question.

 

Lets say hp-ux 11.11 , and a server(example) with lan0(1.1.1.123) and lan0:1(1.1.1.124) on the same network.

I connect via sftp from the server(example) to a sftp server(1.2.3.4) that goes through the default gw.

 

I tought for a connection initiating from the server, the source ip would allways be the one that is the hostname of the server, so in our example it would allways have a source IP of 1.1.1.123

 

But when we had problems crossing a firewall, I found out with tcpdump, that the source IP adress it was using was the one of the floating address(1.1.1.124)

 

I have tried out on 3 other clusters, and some use as souce ip the hostname others use the service floating IP.

 

What are the rules the system uses for using one source ip or the other?

 

 

 

 

Windows?, no thanks
0 Kudos
Reply
7 REPLIES 7
Torsten.
Acclaimed Contributor

‎02-20-2012 06:12 AM

‎02-20-2012 06:12 AM

Re: Question about source ip addresses when using a floating ip for SG Exp. lan0:1,etc

Without some special configuration steps you will always have problems if a server has multiple ip addresses within the same subnet. Consider to use a different subnet.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Reply
akio_kabutogi
Advisor

‎02-20-2012 06:33 AM

‎02-20-2012 06:33 AM

Re: Question about source ip addresses when using a floating ip for SG Exp. lan0:1,etc

I guess, it depends on how the route to the remote network was defined by route command.

route command has an option specifying the source of the IP address for the route. If this is the case,

you'll find the route to the network like:

 

7.0.0.0               20.1.1.100         UG        0  lan0:1     1500

 

by netstat -rn.

By default, the source address should be the one owned by the primary interface. But if the traffic goes over

such a route defined explicitly with 'source' option of route command, the source IP address will become

the one assigned to lan0:1 or whatever the route specifies.

 

Maybe, it's better to check netstat -rn.

Reply
Matti_Kurkela
Honored Contributor

‎02-20-2012 06:35 AM - edited ‎02-20-2012 06:35 AM

‎02-20-2012 06:35 AM - edited ‎02-20-2012 06:35 AM

Solution

Re: Question about source ip addresses when using a floating ip for SG Exp. lan0:1,etc

Normally the application does not care which source IP is used for outgoing connections. In that case, your initial assumption would usually be true, i.e. you would see 1.1.1.123 as the source address of outgoing connections.

 

However, applications have the option of requesting a specific source IP for a given outgoing connection. This is done using a bind() system call before connect()ing the socket.

 

Some applications, e.g. SSH, offer this as a configurable option. For example, to use 1.1.1.124 as a source IP for outgoing connections, you would specify "BindAddress 1.1.1.124" in either the global configuration file /opt/ssh/etc/ssh_config or the user-specific configuration file ~/.ssh/config.

 

If this is done on some of your clusters but not all of them, this would explain the situation you're seeing.

 

If your application does not have BindAddress or equivalent option, there are some ways to achieve the same thing at the OS level, using either IPFilter NAT features or explicit routes. However, these other solutions have some disadvantages: I'd say the application-specific configuration is usually the best solution, if such a configuration option is available.

 

Please see pages 6-9 of this PDF for more details:

http://mayoxide.com/presentations/Understanding_hpux_routing.pdf

 

Using the floating IP address as a source address for outgoing connections can be a good thing, as it simplifies the firewall configuration requirements if you need both incoming and outgoing connections.

MK
Reply
likid0
Honored Contributor

‎02-20-2012 06:40 AM

‎02-20-2012 06:40 AM

Re: Question about source ip addresses when using a floating ip for SG Exp. lan0:1,etc

But Torsten, having a floating IP for a Service Guard Package is standard stuff, you can have problems when you have a different nics with and IP' addresses in the same subnet on each nic, but having and IP alias on the same nic on the same network, and binding the application to SG package ip, is normal procedure.

 

What I find strange is when I open a connection from the SG server(to a ftp for example), on some nodes it uses as source the servers ip, on another clusters it uses one of the SG packages IPs

Windows?, no thanks
0 Kudos
Reply
akio_kabutogi
Advisor

‎02-20-2012 06:40 AM

‎02-20-2012 06:40 AM

Re: Question about source ip addresses when using a floating ip for SG Exp. lan0:1,etc

Yes, what Matti mentions is very true. But if such config is not done from SSH world, route config is worth checking.
I think ssh config is more probable, though :-)
Reply
likid0
Honored Contributor

‎02-20-2012 06:53 AM - edited ‎02-20-2012 07:01 AM

‎02-20-2012 06:53 AM - edited ‎02-20-2012 07:01 AM

Re: Question about source ip addresses when using a floating ip for SG Exp. lan0:1,etc

Thanks Matti.

 

Yes looking for info on this I found the pdf you metion, very well explained by Olivier Masse. On the pdf is explained as an application opening the connection to se floating ip service, or the multihomed host. But as you say in the end is the same. the scp on the SG server can be a client connecting to any old server.

 

I didn't know about the BindAddress config in the ssh client, nice stuff, just to fill in a checked on the nodes that use the floating IP as source when opening a connection with ssh, and they don't have the BindAdress configured in the general system ssh_config, but they do have it in the .ssh/config per user config.

 

So that was the mistery. thanks for the help!.

 

Thanks for the info

Windows?, no thanks
0 Kudos
Reply
likid0
Honored Contributor

‎02-20-2012 07:05 AM

‎02-20-2012 07:05 AM

Re: Question about source ip addresses when using a floating ip for SG Exp. lan0:1,etc

Thanks Akio aslo for the info, it wasn't specified in route table in this case, but I take note for next time.

 

Thanks

Windows?, no thanks
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.