HPE Community
Operating System - HP-UX
1833118 Members
3335 Online
110051 Solutions
New Discussion

Re: trouble with communication through a firewall

 
SOLVED
Go to solution
Ray Brewer
Valued Contributor

‎11-27-2001 09:29 PM

‎11-27-2001 09:29 PM

trouble with communication through a firewall

We are exeriencing communication problems with our systems when we "turn off" ping to our firewall interfaces. (ping through the firewall is allowed). In this scenario our firewall interface is our default gateway for the HP-UX systems in question. What happens is with the ability to ping the default gateway(firewall interface)turned off we will lose network connectivity as soon as the ARP cache is cleared by the system. What we have discovered is that HP-UX attempts to ping the default gateway every 3 minutes. If it does not get a response then the next time the arp cache clears all traffic, which requires the default gateway, is stopped because the system can not "see" the gateway. It's as if the OS is saying the gateway is down so I won't even try sending any data to it. We hooked up a network "sniffer" and found that indeed there was nothing leaving the system at all. As soon as it gets a good ping response it starts working again. We can ping anything on the same network with no problems what so ever. Which brings me to my question(s), has anyone seen this before and is this a HP-UX specific thing? Do other flavors of UNIX use this ping method to verify the health of their default gateway? Can the pinging of the gateway be "turned off" and the system be forced to believe the gateway is working? Or does anyone have any other alternatives? The things that do work for us is are to add a static route to each of the networks we need communication to or enable pinging of the firewall interface which is our default gateway. We would prefer not to do either of these things. Any suggestions would be great. Thanks
0 Kudos
Reply
6 REPLIES 6
Craig Rants
Honored Contributor

‎11-28-2001 06:57 AM

‎11-28-2001 06:57 AM

Solution

Re: trouble with communication through a firewall

Ray,
I experienced this just a few weeks ago, are you using 11.00? If so you are experiencing the Dead Gateway Detection problem. Here is my documentation from that experience.

???HPUX 11.00 supports multiple gateways using route add. It will use default first and check to see if the default router is available by sending it a ping. If it doesn't get a reply, it will consider the route dead and move to the next gateway defined. If there are no other gateways defined then it will shut down all outbound traffic. The fix is to make sure that your router responds to ICMP requests or to run this command to turn probing off 'ndd -set /dev/ip ip_ire_gw_probe 0'
then add an entry in /etc/rc.conf.d/nddconf to turn the probing off at each reboot. Then re-add the route and everything works???


???I finally gave up and called HP support on this. Two sentences into my
description, he knew what the problem was. He also told me "You would have
never found it"

The problem was a little feature in HPUX 11.0 know as 'Dead Gateway
Detection'

What happens is, HP pings the router occasionally (180000 seconds is the
default) to make sure it is still up. If it doesn't get a response, it
stops routing to that address. Since we are using a firewall as a the
default gateway, and the firewall doesn't respond to pings (stealth mode),
then HP assumes the gateway is down and stops routing to it. This also
explains why it wasn't a problem when I had the system on our other network,
that uses a router instead of the firewall.

The fix it to load patches PHNE_20735 and PHNE_20316 and then put the
following entry into /etc/rc.config.d/nddconf

TRANSPORT_NAME[0]=ip
NDD_NAME[0]=ip_ire_gw_probe
NDD_VALUE[0]=0

To check the current value, use:

ndd -get /dev/ip ip_ire_gw_probe

You can also set the value by using:

ndd -set /dev/ip ip_ire_gw_probe 0

although you will have to reset it after reboot (so just go ahead and set it
up in nddconf)???

Hope this helps,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
Reply
Craig Rants
Honored Contributor

‎11-28-2001 07:03 AM

‎11-28-2001 07:03 AM

Re: trouble with communication through a firewall

I should note that I banged my head on the wall for about an hour with this issue. Once I got use of a PC, it took me about 5 minutes to find the resolution to this problem in this forum. I could have been there for quite some time without the forum.
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Mike Hassell
Respected Contributor

‎11-28-2001 07:04 AM

‎11-28-2001 07:04 AM

Re: trouble with communication through a firewall

Ray,

What version of HP-UX are you running? I'm pretty sure that HP-UX probes it's default gateway using ICMP echo requests, to ensure connectivity.

I'm a bit confused on why you want to disable ICMP on the internal interface on your firewall/gateway box? What purpose does this serve?

On another note I think you can disable this probing in HP-UX 11.x+ by using ndd:

ndd -set /dev/ip ip_ire_gw_probe 0

Make sure you set the appropriate lines in
/etc/rc.config.d/nddconf if this solution works for you. Of course this sounds like a question for Rick Jones, as I'm sure he can shed much more light on the subject.

-Mike
The network is the computer, yeah I stole it from Sun, so what?
Reply
Ray Brewer
Valued Contributor

‎11-28-2001 03:40 PM

‎11-28-2001 03:40 PM

Re: trouble with communication through a firewall

Thank you Craig and Mike. Both of your answers hit the nail on the head! You both had some questions and to clarify the situation for anyone else reading I will answer them. Here we go...

Mike and Craig
Q1. We are running HP-UX 11.00

Mike
Q2. We have icmp to the internal firewall interface turned off because the folks that have controll of these devices were told in a class that they should "enable stealth mode on the firewall". They have not as of yet done any customization to acommodate for the business needs. This is our first attempt in communicating through firewalls with the firewall as our gateway on our HP-UX systems. Until now it's been all NT to NT.

Mike
Q3. So far the only puropse I can see for not allowing icmp is to frustrate me.

Thank you both for your help. Just to let you know we have HP consulting on site here and you guys were able to provide an answer faster then them.
0 Kudos
Reply
Mike Hassell
Respected Contributor

‎11-29-2001 06:25 AM

‎11-29-2001 06:25 AM

Re: trouble with communication through a firewall

Ray,

Glad to hear things worked out for you. Just wondering what kind of firewall your network group has installed? FW-1? I assume having the internal interface in "stealh" mode would prevent some DoS attacks from inside the corporation and possiblily other types of attacks.

Interesting configuration though, as there is no room for a DMZ to put webservers and things like that if you have a single point where the firewall resides without any "choke" routers inbetween. Thanks for the info, wish I had 11.0 installed as well so I could start to use some of the ndd commands :)

-Mike
The network is the computer, yeah I stole it from Sun, so what?
0 Kudos
Reply
cart
Advisor

‎04-23-2003 03:11 AM

‎04-23-2003 03:11 AM

Re: trouble with communication through a firewall

Thanks everyone for this post!!! I've been struggling with this issue for about a week.
I'm using HPUX 11i and Mandrake firewall.
I just ran the ndd command and it works!
Thanks again,
S
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.