HPE Community
Operating System - HP-UX
1846643 Members
2448 Online
110256 Solutions
New Discussion

Virtual address not responding to pings from Nokia FW

 
SOLVED
Go to solution
David Connolly
Regular Advisor

‎12-17-2002 06:48 AM

‎12-17-2002 06:48 AM

Virtual address not responding to pings from Nokia FW

Hey,

I have a weird issue whereby I have a physical address (192.168.1.20) and a virtual address (192.168.1.23) on my HPUX 11.00 system. From an NT machine on the same subnet, I can ping both. From the box itself, I can ping both.

However, when I try to ping from the Nokia Firewall, I can ping the physical, but not the virtual. There are no rules active on the firewall to prevent my pinging the .23 address (I can ping the NT machine - .240). Is there anything unusual in how virtual addresses are implemented in HPUX?
0 Kudos
Reply
2 REPLIES 2
Ron Kinner
Honored Contributor

‎12-17-2002 09:02 AM

‎12-17-2002 09:02 AM

Solution

Re: Virtual address not responding to pings from Nokia FW

Just a guess but perhaps the HP does not use the virtual address as the source address when it replies to a ping but instead uses its real address. NT wouldn't care who the echo reply was from as long as it got one but perhaps the Nokia, being a suspicious firewall, does a closer check and is seeing a mismatch between the address it thought it pinged and the return address on the response it is getting. I wonder if it uses the .20 because it comes first in the routing table. Maybe if the IP addresses were reversed it might go the other way.

I've never worked with a virtual address on an HPUX but see if it shows up in
netstat -rnv
which should also show you if it is ever used for outgoing packets.

Ron
Reply
rick jones
Honored Contributor

‎12-18-2002 11:13 AM

‎12-18-2002 11:13 AM

Re: Virtual address not responding to pings from Nokia FW

On a quick test on an 11i system anyway, the VIP is used as the source IP on the ICMP Echo Reply message.

I verified that with a tcpdump trace.

If you suspect that the ICMP Echo Reply from your HP-UX 11 system is from a different source IP, you can check that with either tcpdump (www.tcpdump.org) or nettl. If the IP looks wrong, then it might be good to try the latest ARPA Transport patch and dependencies, and then if that still shows the wrong IP, logging a call might be in order.

Taking a tcpdump trace of the echo requests from the FW might be goodness in any case. Also, checking netstat -p icmp to make sure that when the FW is pinging the VIP that the system is even getting ICMP Echo Requests would be goodness.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.