Hi,

Client is running Oracle VM Server 2.2.1 (kernel 2.6.18-128.2.1.4.37.el5xen). Storage is a NetApp 3210 (NFS configured to use TCP).

Iptables on client has udp and tcp ports 111, 2049 and the NFS server ports opened. Info retrieved using:

rpcinfo -p NetApp

When trying a manual mount ...

#mount -v NetApp:/share /mnt
mount: no type was given - I'll assume nfs because of the colon
mount: trying NetApp prog 100003 vers 3 prot tcp port 2049
mount: mount to NFS server 'NetApp' failed: timed out (retrying).

... but when using the proto=tcp option, it works ...

#mount -v -o proto=tcp NetApp:/share /mnt

... stopping iptables also works (I can manually mount the share without using proto=tcp).

Is the mounting process somehow trying to negotiate first using udp which the Netapp doesn't respond and hence it fails by timing out?

Can I configure iptables such that I don't have to use the proto=tcp option? Or is there another configuration file I can tweak so that I don't have to use the proto=tcp option?

Thanks.

Can you post the iptables configuration on your NFS server (Netapp)?

You could check /etc/nfsmount.conf to check that the default protocol is tcp.

Hi,

NFS over TCP has been enabled from the filer's web interface. This was done when it was first set up. I had another look and its still enabled. There isn't a nfsmount.conf file in /etc. the config may be stored in a different file.

Can't find any iptables files in the Netapp. At least its not in the /etc folder.

Thanks.

Try

The command iptables is not available on the NetApp. But if its my client that you are referring to, then:

# iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
0 0 DROP tcp -- any any anywhere anywhere state NEW tcp dpt:http
37 2947 RH-Firewall-1-INPUT all -- any any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 17 packets, 4804 bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT esp -- any any anywhere anywhere
0 0 ACCEPT ah -- any any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ipp
19 1176 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:nfs
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:compaq-https
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpts:5900:5950
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:teradataordbms
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:8003
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:8899
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:cbt
18 1771 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited

mmm...

The bolded rule, should allow UDP NFS connections from this client to any server. You really need to ensure that the server is allowing UDP traffic on port 2049.

Since nfsmount.conf is not there, you could try looking for /etc/sysconfig/nfs

You could also run the nfsddaemon in debug mode to see if you can identify the cause of your problem.

The NetApp has been configured for NFS over TCP. The description of this setting is "use TCP rather than UDP". Not sure whether this means only use TCP.

What I don't understand fully is how iptables is involved. If I stop iptables, I can mount without proto=tcp. If I start iptables, I need to use proto=tcp.

So I'm suspecting I should look here on my client instead of the NetApp, in particular the iptables itself. The NetApp does not have the usual unix commands or file system structure. Hence there's no sysconfig folder or nfsddaemon.

Thanks.

I must admit I must be missing something here.

Your iptables config looks like it should allow all type of connections that are initiated from the client (the bold line).

I guess you try to explicitly allow udp connections on nfs port, but you mentioned that the server is listening on TCP only, so this is unlikely to make a difference.
Alternative, Try using a sniffer (tcpdump or Wireshark) to see what is actually going on.

sorry, I can't be of more help

Thanks mate. I tried using tcpdump and it seem to get stuck at a certain interface.

What's happening is I'm mounting using 10.1.50.1 which is a virtual interface (lif0-50) created on the Netapp for vlan 50.

The actual interface (lif0) is on 10.1.20.1 (this is on vlan 1). Tcpdump says this destination is unreachable (protocol ICMP). If I try mounting using 10.1.20.1 instead (without proto=tcp), it works.

So iptables blocks 10.1.50.1 while it allows 10.1.20.1 (both without using proto=tcp option).

Any insight into this networking issue would be greatly appreciated.

Thanks.