Re: FW 4.1.1 - Endpoint connecting to firewall

Rodrigo and Gary, thanks for your answers.

Gary,
This is what i get when I traceroute the TMR from the
endpoint:

###############
trying to get source for 12.21.56.5
source should be 12.21.18.2
traceroute to 12.21.56.5 (12.21.56.5) from 12.21.18.2
(12.21.18.2), 30 hops max
outgoing MTU = 1500
 1  12.21.18.254 (12.21.18.254)  2 ms  1 ms  1 ms  #GW
address
 2  12.21.16.144 (12.21.16.144)  1 ms * * # FireWall
Address
 3  * * *
 4  * * tmr01 (12.21.56.5)  4 ms # TMR Address

###############

Could it be that the firewall is configured the throw
unwanted communication attempts right back at the
sender ? 
We have already opened the TMR to receive income
connections using any highport at the Firewall, but
nothing changed.

Cheers,
MArcelo
--- Gary Hamilton <HAMILGAR-ygUJEDcBm8rQT0dZR+AlfA@xxxxxxxxxxxxxxxx> wrote:
> 
> 
> 
> 
> The Firewall toolkit will assist by giving you more
> control over the port
> usage, but this does not appear to be your problem.
> 
> I just noticed that the endpoint is receiving a
> connection from the
> firewall. Is your firewall doing any NAT?
> 
> The firewall seems to be proxying the communication
> that is failing and I
> can't see why this would happen normally.
> 
> You may need to take some TCP traces to understand
> when this happens, and
> hopefully why it happens.
> 
> 
> Gary R. Hamilton
> Senior Software Engineer
> IBM Software Group - Tivoli Software (UK)
> Global Response Team - Europe/Middle East/Africa
> (GRT - EMEA)
> +44(0)1753-780-988
> mobile: +44(0)780-820-3714
> e-mail:hamilgar-ygUJEDcBm8rQT0dZR+AlfA@xxxxxxxxxxxxxxxx
> ____________________________________________
> AskTivoli - 
>
http://www-3.ibm.com/software/sysmgmt/products/support/
> Web PMR submission -
> http://www-3.ibm.com/software/support/probsub.html
> 
> 
> |---------+---------------------------->
> |         |           Marcelo Zacchi   |
> |         |           <tivzacchi-sJll5ZL6roY@xxxxxxxxxxxxxxxx|
> |         |           com>             |
> |         |           Sent by:         |
> |         |           owner-tme10-gDVLAvcG/0E@xxxxxxxxxxxxxxxx|
> |         |           .us.ibm.com      |
> |         |                            |
> |         |                            |
> |         |           27/04/2004 19:19 |
> |         |           Please respond to|
> |         |           tme10            |
> |         |                            |
> |---------+---------------------------->
>  
>
>--------------------------------------------------------------------------------------------------------------------|
>   |                                                 
>                                                     
>              |
>   |       To:       tme10-XtjxT7Vmt5b1ENwx4SLHqw@xxxxxxxxxxxxxxxx          
>                                                     
>              |
>   |       cc:                                       
>                                                     
>              |
>   |       Subject:  Re: [tme10] FW 4.1.1  - Endpoint
> connecting to firewall                              
>              |
>   |                                                 
>                                                     
>              |
>   |                                                 
>                                                     
>              |
>  
>
>--------------------------------------------------------------------------------------------------------------------|
> 
> 
> 
> Gary,
> 
> First of all thanks for such a quick response.
> 
> We have set the gateway to work with the port range
> 5500-10000, but the problem is from the EP to the
> GW.
> I know that because when I try to distribute ITM
> profiles to any EP it actually works, but within a
> few
> minutes the EP is unavailable again.
> I am sorry Gary, but what do you mean with TFST ?
> 
> TIA,
> Marcelo
> 
> --- Gary Hamilton <HAMILGAR-ygUJEDcBm8rQT0dZR+AlfA@xxxxxxxxxxxxxxxx> wrote:
> >
> >
> >
> >
> > Have you set the port range on the gateway to
> > control the downcalls from
> > the gateway to the endpoint?
> >
> > Have you considered using the TFST?
> >
> > You have not mentioned in your description whether
> > you have set any oserv
> > related parameters to control the communication
> from
> > the gateway side.
> >
> > Gary R. Hamilton
> > Senior Software Engineer
> > IBM Software Group - Tivoli Software (UK)
> > Global Response Team - Europe/Middle East/Africa
> > (GRT - EMEA)
> > +44(0)1753-780-988
> > mobile: +44(0)780-820-3714
> > e-mail:hamilgar-ygUJEDcBm8rQT0dZR+AlfA@xxxxxxxxxxxxxxxx
> > ____________________________________________
> > AskTivoli -
> >
>
http://www-3.ibm.com/software/sysmgmt/products/support/
> > Web PMR submission -
> > http://www-3.ibm.com/software/support/probsub.html
> >
> >
> > |---------+---------------------------->
> > |         |           Marcelo Zacchi   |
> > |         |           <tivzacchi-sJll5ZL6roY@xxxxxxxxxxxxxxxx|
> > |         |           com>             |
> > |         |           Sent by:         |
> > |         |           owner-tme10-gDVLAvcG/0E@xxxxxxxxxxxxxxxx|
> > |         |           .us.ibm.com      |
> > |         |                            |
> > |         |                            |
> > |         |           27/04/2004 18:00 |
> > |         |           Please respond to|
> > |         |           tme10            |
> > |         |                            |
> > |---------+---------------------------->
> >
> >
>
>--------------------------------------------------------------------------------------------------------------------|
> 
> >   |
> >
> >              |
> >   |       To:       Tivoli List
> > <tme10-cDSMKSnYR35p8oenWFLaGw@xxxxxxxxxxxxxxxx>
> >                                   |
> >   |       cc:
> >
> >              |
> >   |       Subject:  [tme10] FW 4.1.1  - Endpoint
> > connecting to firewall
> >                  |
> >   |
> >
> >              |
> >   |
> >
> >              |
> >
> >
>
>--------------------------------------------------------------------------------------------------------------------|
> 
> >
> >
> >
> > Hi List !
> >
> > I am having a big problem regarding the connection
> > between GW/EP through a firewall. The ports used
> are
> > the default ones, and the firewall is configured
> so
> > that the ports are usable. The problem is that on
> > most
> > of the AIX boxes I am getting this message on the
> > lcfd.log:
> > ###########
> > Apr 27 13:09:24 Q lcfd New IPC connection from
> > <firewall IP>+54831
> > Apr 27 13:09:24 Q lcfd Place connection 28 on
> queue
> > .....
> > Apr 27 13:09:25 3 MethInit argv[12]=aix4-r1
> > Apr 27 13:09:25 3 MethInit argv[13]=27
> > Apr 27 13:09:25 3 MethInit argv[14]=1786409846
> > Apr 27 13:09:25 3 MethInit argv[15]=<firewall
> > IP>+9494
> > Apr 27 13:09:25 3 MethInit argv[16]=lcfd9495
> > Apr 27 13:09:25 Q MethInit argv:
> session_id=0e264bbe
> > ###########
> >
> > Since he is not able to commit this IPC connection
> > he
> > keeps increasing 1 to the port # and trying again.
> > How do I force him to use only the GW IP and 9494
> > port
> > ?
> >
> 
=== message truncated ===



        
                
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover