HPE Community
Server Management - Systems Insight Manager
1833709 Members
2597 Online
110063 Solutions
New Discussion

Problem with SIM and servers in a DMZ

 
SOLVED
Go to solution
Christian Langgaard
Occasional Contributor

‎05-26-2004 01:37 AM

‎05-26-2004 01:37 AM

Problem with SIM and servers in a DMZ

Hi group.

I have a problem with our SIM server.
out CIM7 servere recently crashed and I decided to upgrade to SIM4. installation was smooth, and all internal resources where manually added. I am having problems with the DMZ servers though. I add by ip address but all servers fail with "HW Status RED from ping". We have the same ports open as we did for CIM7, as well as ping (tcp7 / ICMP), the SNMP ports 161/162, the WMI proxy, 2301, 2381, etc. I am running out of ideas. I tried adding through a host file without luck - same error.
I read through the forum in search of a hint, but all suggestions listed here doesn't help.
I can ping from the CMA to the agent, both forward and reverse.

I find it rather annoying that I cannot just add a resource by ip without pinging it though, if the ping is all that keeps me from working.

Does anybody know what the CMA does for discovery - the firewall records the echorequest from the server to the agent but no further traffic is recorded -

Help greatly appreciated.

thanks
Christian
0 Kudos
Reply
8 REPLIES 8
Jon Ward
Trusted Contributor

‎05-27-2004 02:09 PM

‎05-27-2004 02:09 PM

Re: Problem with SIM and servers in a DMZ

http://www.hp.com/wwsolutions/misc/downloads/management/hpsim/HPSIM_Security_WP.pdf , page 12, for the ports used by SIM.

See page 160 of http://www.hp.com/wwsolutions/misc/hpsim-helpfiles/sys-book.pdf . It shows how to perform a ping test from within SIM and the results that it may report. It may provide more ideas why *SIM* thinks it cannot ping the devices.
0 Kudos
Reply
Christian Langgaard
Occasional Contributor

‎05-27-2004 07:55 PM

‎05-27-2004 07:55 PM

Re: Problem with SIM and servers in a DMZ

Good stuff Jon - Thanks.
I will look in to the port list in the white paper. Funny thing is that I can ping from a dos prompt, but the SIM diagnose ping fails - does it use other ports, or could it be service/security related?.

Thanks a lot for the pointers, I will grade your post when I have toyed with the ports.

Kind regards
Christian
0 Kudos
Reply
Christian Langgaard
Occasional Contributor

‎05-27-2004 08:22 PM

‎05-27-2004 08:22 PM

Re: Problem with SIM and servers in a DMZ

I think Jon's post is the right direction.
i now have a firewall rule that basically allows all traffic from the CMA to one particular agent, and anther rule to allow all traffic from the agent to the CMA.

I can ping from a dos prompt on the CMA and get replies fine. If I do the diagnose ping I get "Request timed out"...

I can see the ICMP Echorequest from the CMA in my firewall log.....

I'm confused and frustrated - this should work...

0 Kudos
Reply
WALKENÄERE Sébastien
Occasional Contributor

‎05-28-2004 01:51 AM

‎05-28-2004 01:51 AM

Re: Problem with SIM and servers in a DMZ

I know that i can have some problems if i don't desactivate my proxy on my console, and if you put some exceptions to your connection with your proxy like *.domain.*, you must put other exceptions like 168.15.* for all the ip address of your servers.
0 Kudos
Reply
Brian Harrison
Occasional Advisor

‎05-28-2004 03:34 AM

‎05-28-2004 03:34 AM

Re: Problem with SIM and servers in a DMZ

SIM does indeed do a simple ICMP Echo request to check connectivity to devices, so I don't know why you have it working from a DOS prompt but failing within SIM.

One workaround available in the newly released version 4.1 is that ability to use a different connectivity test instead of ICMP echo. Under Option > Protocol Settings > Global Protocol Settings there is now an option to change the default ping connection to use TCP on a specific port, that should be opened in your firewall. The default value for this is port 80.

I hope this is of some help,
Cheers,
Brian.
0 Kudos
Reply
Christian Langgaard
Occasional Contributor

‎05-30-2004 02:06 AM

‎05-30-2004 02:06 AM

Re: Problem with SIM and servers in a DMZ

Interesting.

I had figured out that 4.1 would solve the issue as it doesn't rely on icmp.. but.

the download page:
http://h18004.www1.hp.com/products/servers/management/hpsim/download.html

still only allows downloading 4.0

how did you get 4.1 :p

kind regards
Christian
0 Kudos
Reply
Rob Buxton
Honored Contributor

‎05-30-2004 09:16 AM

‎05-30-2004 09:16 AM

Solution

Re: Problem with SIM and servers in a DMZ

See Davids response in the 4.1 release item.
Seems some of the descriptions have not caught up.

I got to the download page by following the link in the 4.1 release note from David.
Reply
Christian Langgaard
Occasional Contributor

‎05-30-2004 11:05 PM

‎05-30-2004 11:05 PM

Re: Problem with SIM and servers in a DMZ

4.1 solves the problem - weeee

Thank you everybody for all your help.

Have a nice day - I will now :)

Kind regards
Christian
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.