LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > AIX
User Name
Password
AIX This forum is for the discussion of IBM AIX.
eserver and other IBM related questions are also on topic.

Notices


Reply
  Search this Thread
Old 05-18-2018, 12:50 PM   #1
peterdin
LQ Newbie
 
Registered: Oct 2013
Posts: 21

Rep: Reputation: Disabled
Source port on AIX for NAS is same?


In AIX servers, for mounting NAS mount points only 1021 1022 1023 are used as source ports on more than 300 servers while destination port on storage end is 2049, is there any settings on servers where these ports are defined for mounting NAS mount points? Any body faced this scenario?

Thanks
 
Old 05-23-2018, 03:23 AM   #2
NevemTeve
Senior Member
 
Registered: Oct 2011
Location: Budapest
Distribution: Debian/GNU/Linux, AIX
Posts: 4,847
Blog Entries: 1

Rep: Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866
Well, does it cause any problem? I guess the NFS-client uses the first available privileged port starting from 1023 and going downwards: 1023, 1022, 1021...
 
Old 05-24-2018, 03:55 PM   #3
wingnut64
Member
 
Registered: Sep 2004
Distribution: AIX, RHEL, Ubuntu
Posts: 51

Rep: Reputation: 23
As an NFS client, if the nfso option 'nfs_use_reserved_ports' is set to 1 than all NFS client connections will be initiated from below port 1024. There is an NFS server-side option 'portcheck' that will only allow clients from that port range.

Check with nfso -L nfs_use_reserved_ports , see the manpage for nfso for details.
 
1 members found this post helpful.
Old 06-20-2018, 01:26 AM   #4
peterdin
LQ Newbie
 
Registered: Oct 2013
Posts: 21

Original Poster
Rep: Reputation: Disabled
BELOW IS THE DETAIL EXPLANATION OF THE ISSUE:-

Let me explain you the scenario

-There are 100 AIX clients which have few NAS volumes mounted on it.

-These NAS volumes are created on NetApp Storage.
-For AIX clients , they have separate IP called (NAS IP) for NAS volume operations.
-For NetApp Storage, it has LIF IP(Logical Interface )
-Destinastination port on Storage for NAS communication are 2049 and 111
-NAS comminucation happens between this NAS IP on AIX clients to LIF IP on NetApp Storage.
-There are below settings on AIX clients, which you can check with nfso -a
nfs_use_reserved ports= 1 (use ports less than 1024)
nfs_use_reserved ports= 0(use ports more than 1024)
-as per security rule we should keep as " 1" .
-however keeping "0" value here does resolve the NAS issue of mounting but it is not safe as per SCD to allow NAS coomunication to happen between aix client NAS IP and storage LIF IP on random ports.
-but when we keep 1 we face the issue as it only takes 1021 1022 1023 ports as source port for mounting.
-Now what issue we are facing currently with nfs_use_reserved ports= 1 settings, That I will explain you.

-So when we keep nfs_use_reserved ports= 1 settings
clients sends "SYN" from 1021 soruce port to 2049 port on Storage
Storage sends SYN,ACK to from 2049 to 1021 port.
clients sends ACK to from 1021 to 2049 port on storage,
so 3 way hand shake is done.
and at the end of this connection on storage is established on port 1021 and is active.
Next
clients sends "SYN" from 1022 soruce port to 2049 port on Storage
Storage sends SYN,ACK to from 2049 to 1022 port.
clients sends ACK to from 1022 to 2049 port on storage,
so 3 way hand shake is done.
and at the end of this connection on storage is established on port 1022 and is active and now on storage both connection from client on ports 1021 and 1022 are active.
now here comes the problem part:-
dont know some how the connection from client gets broken on one port, lets say 1021 and clients starts sending the SYN request on port 1021 again ,BUT the connection broken info does not reach to storage and it remains active on port 1021.SO when client sends SYN request again from source port 1021, storage responds with ACK ( as connection is already established ) rather than SYN,ACK so firewall which sits in between the client and storage drops this packet from storage rather than reseting the connection, the result of which the client keeps on sending the SYN request from same source port 1021 and we face the issue of NAS mount points as NAS mount points dont get mounted on clients.
but when we keep nfs_use_reserved ports= 0 it uses random ports and still now we have not face any NAS issue on that client,

So my question is that how to define specific NAS source ports on AIX clients?

Hope you all have understood my issue now.

Let us know if any query.
Thanks
 
Old 06-20-2018, 02:08 AM   #5
NevemTeve
Senior Member
 
Registered: Oct 2011
Location: Budapest
Distribution: Debian/GNU/Linux, AIX
Posts: 4,847
Blog Entries: 1

Rep: Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866
> lets say 1021 and clients starts sending the SYN request on port 1021 again ,BUT the connection broken info does not reach to storage and it remains active on port 1021.SO when client sends SYN request again from source port 1021, storage responds with ACK

I think such an out-of-order SYN should either be answered with 'RST' or 'SYN'+'ACK' depending on the receiving partner's state: it has a table of connections represented by (local-IP, local-port, remote-IP, remote-port) tuples. If the incoming 'SYN' packet matches an existing table-entry, then it should be answered with 'RST'; otherwise it is a normal connection-request that should be answered with 'SYN'+'ACK'
 
Old 06-20-2018, 01:04 PM   #6
peterdin
LQ Newbie
 
Registered: Oct 2013
Posts: 21

Original Poster
Rep: Reputation: Disabled
Well, we talked with Firewall team as well, but they are saying that it is the normal behavior of the firewall to drop the packets rather than sending reset.


Another plan of action to resolve this issue is
Plan 1
keep both NAS IP and Storage LIF IP in same VLAN and don't keep any firewall in between. (currently both NAS IP and Storage LIF IP are in different VLAN with firewall in between)

but I would like to know
Plan 2
What if we keep the same setup with communication happening from random source ports from client end to storage LIF ports with firewall in between,

which will be more secure plan 1 or Plan 2?


Thanks
 
Old 06-21-2018, 01:45 AM   #7
NevemTeve
Senior Member
 
Registered: Oct 2011
Location: Budapest
Distribution: Debian/GNU/Linux, AIX
Posts: 4,847
Blog Entries: 1

Rep: Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866Reputation: 1866
> Well, we talked with Firewall team as well, but they are saying that it is the normal behavior of the firewall to drop the packets rather than sending reset.

That's cool. I had issues with people like them, too (it was IBM MQS, but the same problem: a Cisco PIX decided to abort the connection -- without telling it to the end-points). I think you should use some keep-alive feature; NFS might have its own keep-alive options, also there is TCP_KEEPALIVE -- its default time-interval is two hours but can be modified (globally, mind you) with utility /usr/bin/no
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Gui on nas without VGA port possible linuxmandrake Linux - Newbie 4 06-30-2010 07:37 AM
IBM AIX 5.2/5.3 serial port/tty0 port vinod_balani AIX 2 02-19-2006 03:38 PM
Port 22 on AIX agallant AIX 12 08-05-2004 05:56 PM

LinuxQuestions.org > Forums > Other *NIX Forums > AIX

All times are GMT -5. The time now is 02:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration