Latency across a firewall

We have determined that a delays of > 10 ms across a firewall causes problems with clusters members joining etc... If there a settings that cat be tuned/changed that allows for this type of latency across a firewall?
     Thanks...
     Tom :-)

Tom,
     What you see is not a breakdown in clustering protocol, but a partial communication failure in your environment, specifically in the TcpRing, which is one of (and optional) methods of node death detection.
     It looks like Solaris times-out an open TcpSocket used by the TcpRing after 7 hours of normal operation in your environment. Coherence attempts to reconnect four times in-a-row (as specified in the tangosol-coherence.xml) and terminates the cluster service after the last attempt fails, after which the cluster service is automatically restarted.
     I would recommend either find out how to control the timeout value or disable the TcpRing.
     Regards,
     Gene

Similar Messages

  • NFS across a firewall

    We're currently running a Solaris 9 server hosting a data repository volume presented via NFS. Unfortunately, we now have a firewall between the server and the primary client subnet. After some frustration at trying to grant access, I've found that mountd in NFSv3 is, to put it mildly, a problem for NFS mounting across a firewall. Since it chooses a random high port, the only obvious solution is to open a very large high port range to this server.
    As a potential way of avoiding this, I have two questions:
    1) Is there anyway at all to set the NFSv3 version of mountd to listen on a designated static port?
    2) Failing that, is there an NFSv4 package or source available for Solaris 9? Since it's been revamped to only require ports 111/tcp,udp and 2049/tcp,udp, it would also solve this problem.

    After a bit more digging, WebNFS appears to be the answer to question 1. By setting the share option as public in dfstab and issuing the mount command as "mount nfs://<server>:/<path> /<localpath>", a snoop shows the traffic is all passed on port 2049. Haven't implemented it yet to test this though.

  • Socks proxy call  from a weblogic server across the firewall to an external program

    Hi,
    From our weblogic server, we are trying to connect to an external
    program outside our firewall through SSL. The SSL connection is being
    tunneled through a socks proxy in the DMZ. (We have not yet made it
    work so far. Currently, we are trying to make it work)
    From the weblogic bean, we are doing the following
    System.setProperty("socksProxySet", "true");
    System.setProperty("socksProxyHost", "w.x.y.z");
    System.setProperty("socksProxyPort", "1080");
    Not that weblogic bean is the initiator of the connection and it talks
    to a program outside our firewall.
    My question is, will this kind of system level setting in the weblogic
    server have any negative impact? This is because, RMI is over sockets
    and weblogic might be talking to its internal components through
    sockets.
    Is it advisable to have such socks related setting the weblogic bean
    level?
    thanks,
    jas.

    Hi,
    From our weblogic server, we are trying to connect to an external
    program outside our firewall through SSL. The SSL connection is being
    tunneled through a socks proxy in the DMZ. (We have not yet made it
    work so far. Currently, we are trying to make it work)
    From the weblogic bean, we are doing the following
    System.setProperty("socksProxySet", "true");
    System.setProperty("socksProxyHost", "w.x.y.z");
    System.setProperty("socksProxyPort", "1080");
    Not that weblogic bean is the initiator of the connection and it talks
    to a program outside our firewall.
    My question is, will this kind of system level setting in the weblogic
    server have any negative impact? This is because, RMI is over sockets
    and weblogic might be talking to its internal components through
    sockets.
    Is it advisable to have such socks related setting the weblogic bean
    level?
    thanks,
    jas.

  • Clustering across a firewall

              Hi,
              Would like to know what protocol can be used thru a firewall when the web server
              acts as a front end. Is it t3, if so can t3 cross firewalls, I assume it needs
              to be tunneled using http.
              Anil
              

    Open the ports. Tunneling would be pointless for this exersize.
              Peace,
              Cameron Purdy
              Tangosol, Inc.
              http://www.tangosol.com/coherence.jsp
              Tangosol Coherence: Clustered Replicated Cache for Weblogic
              "Anil Jacob" <[email protected]> wrote in message
              news:[email protected]..
              >
              > Hi,
              > Would like to know what protocol can be used thru a firewall when the web
              server
              > acts as a front end. Is it t3, if so can t3 cross firewalls, I assume it
              needs
              > to be tunneled using http.
              >
              > Anil
              

  • VLAN Tagging across from firewall to 2 SG-300 52 Switchs

    I need some assistance in setting up VLAN's (802.1Q) accross two switchs, I want the same 2 vlan's on both switchs, how do i configure them to be connected and pass both vlan's traffic.
    My setup
    Internet - Firewall - Switch1 - Switch2
    VLANs from firewall are tagged at 3 and 8.Single port out from the firewall
    The first switch is simple enough, port is connect at port 52 and configured from both vlan's then the individual ports are either on one or the other.  The question is how do i connect the second switch so that it can also do both vlans.  Assume I connect switch1 at port 51 to switch 2 port 52.  Do I configure both ports to be on the same VLAN's. or do i setup LAG's. All too confusing.

    You have already done the confusing part, sounds like you got the hang of it rather quickly. Now all you need to do is set the individual ports which you will be using to connect the switches. Since you only have 2 VLANs then I will guess that VLAN 1 is one of the two, which leaves you with the only ability of tagging the other VLAN.
    So, switch1 interface 51 switchport trunk allow vlan 1 vlan 2 --- tag vlan 2
    Then, switch 2 interface 52 switchport trunk allow vlan 1 vlan 2 -- tag vlan 2
    Note that we are not tagging VLAN 1 which by default is the native VLAN.
    Good Luck!

  • Frame latency across VPLS

    Hi all,
    What should be a normal round trip time (ping beetwen the end hosts) for a 64 byte Ethernet frame crossing the VPLS cloud? VPLS cloud is built on two ASR9000 in the core and two ME3600x as the PE routers. The core is using 10G links, PE are using 1G. There is QoS implemented in the network, but there is no frames dropping. 
    Should it be in microseconds or a few miliseconds?
    Best regards,
    Krzysztof

    sclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    Minimum round trip time would depend on physical distance (about 5 us per km), number of hops, and bandwidth of links (the latter two determine serialization delay, per hop - e.g. 64 bytes takes .5 us at gig).

  • "Save AS' to Enterprie across firewall

    Hi All,
    I am trying to save a report from Crystal Reports Designer into an Enterprise folder. The server is in a different network and I had to request the Network team to open up the port 6400 on the Crystal Server machine. But I am still getting "Connection Error". Is there any other port that I should open up if I want to use this fuctionality. I am using CR XI r2.
    Appreciate your help,
    Thanks
    Ajith

    Ajith,
      Business Objects Enterprise reserves ports 6400 - 6410 by default.  Though the CMS may run on 6400, there are other ports involved depending on the activity being performed.  It is absolutely possible to assign which ports are used by the product.
      Below are steps for assigning ports to work from client side applications (such as the designer) to reach through a firewall to the Enterprise server:  However, it is likely you can avoid the steps below if you allow bi-directional access to the ports 6400 - 6404
    Configuring desktop products across a firewall
    This section explains how to configure desktop products such as Desktop
    Intelligence and Designer across a firewall.
    To specify the request ports for BusinessObjects Enterprise
    1. Go to the CCM and stop the CMS.
    2. Right-click on the CMS, and then select Properties.
    3. Add the following entry at the end of the command field:
    -port <FQDN>:6400 -requestport 6401
    4. Click OK, and then restart the CMS.
    5. Repeat steps 1 through 4 for the Input FRS but add this entry to the
    Command field:
    -port <FQDN> -requestport 6402
    6. Repeat steps 1 through 4 for the Output FRS but add this entry to the
    Command field:
    -port <FQDN> -requestport 6403
    Note:
    u2022 Replace FQDN with the fully qualified domain name of the server running
    your BusinessObjects Enterprise servers.
    u2022 You can use different ports than in the previous examples. However, it is
    not recommended you use port 6400 except as is shown in the example
    since port 6400 is the default port number for the CMS.
    To make the required changes on the firewall
    1. Go to the area where you specify ports in your firewall software.
    Note: Consult your specific firewall documentation for details.
    2. Open the following TCP BI-Directional ports between the server running
    your BusinessObjects Enterprise servers and the desktop:
    u2022 6400
    u2022 6401
    u2022 6402
    u2022 6403
    3. Save your changes.
    Tony

  • Can JMQ 2.0 work through a firewall?

    We are interested in using JMQ for B2B communication for messages to be sent
    through firewalls from one enterprise to another. Does JMQ 1.1 support this or
    does JMQ 2.0? If JMQ 2.0 is the only option, can you please specify when it
    will be released, as of now it is only in beta version? I would appreciate your
    prompt response as we are in the process of evaluating each vendor.

    JMQ 1.1 only supports a TCP based transport, and could only work across a firewall
    if that fiewall was specially configured to let the communication through. JMQ 2.0
    will support use of HTTP as a transport, and this will eliminate the need for
    special administration for any firewall that will naturally allow HTTP through. JMQ
    2.0 is in Beta now, and is scheduled to be available as an FCS product early in
    Q2CY01.

  • High latency causing problems... and frustration w...

    I have a femtocell that requires the latency on any single hop on the internet to be less than 240ms, any longer than this and it drops my phone call. On contacting the supplier of the femtocell, they asked me to use Traceroute to see how long the path to a server was (I used Google.com) and many of the hops were over 240ms, some as long as 4922ms.
    On scanning this forum, there are other users out there (mostly gamers) who are suffering from latency problems. Has anyone had any success resolving the problem? I can send copies of the Traceroute outputs that clearly show high latency between routers with addresses such as interconnect2-gig1-0.manchester.fixed.bt.net, core2-pos0-6-1-0.ealing.ukcore.bt.net and core4te-0-7-0-0.telehouse.ukcore.bt.net, to anyone that may be able to help.
    The best I've so far had from BT is that:
    - It's a problem with the femtocell supplier: no, the supplier requested from ISPs their longest expected latency prior to releasing the femtocell and set the timeout to be equal to this
    - It's a problem with my Mac mail: the fact that I use a Mac has absolutely nothing to do with network latency
    - There's interference between my mobile phone and my wireless: this isn't the case (I'm a wireless communications engineer by background) and, if it was, almost no-one would be able to use mobile phones given the number of wireless access points in homes and offices.
    Every time I get a call from the call centre it's someone different, who doesn't understand the problem, doesn't know what a femtocell is and hasn't read the notes which clearly state that I want to be called on my mobile, not on my home phone. It's looking like my best option may be to try to find another ISP who doesn't have this problem.

    I think you have the result of what is maybe a 2 fold issue.
    Femtocell technology is still a relatively new technology as you;ll  know from your job.
    If you think about the security issues of running a femtocell, that;s to say what it actually has to fulfil,
    Security for femtocell networks spans several distinct requirements. The service provider must authenticate users as they arrive on the network. The RF link between the handset and the femtocell must be secured for both user and control plane traffic. And lastly, the mobile network traffic must be placed into a virtual private network as it traverses the wired ISP network to ensure that the traffic is protected while transiting this public network and only authorized users can forward traffic to the mobile operator's network.
    There is however one very important element of femtocell security which makes the implementation significantly more complex. This relates to latency as you say, which must be carefully managed especially for applications such as VoIP/SIP. Compounding this challenge is the unknown nature of the latency across the ISP network, which has resulted in service providers requiring latency in the femtocell to be minimized, as you say.
    If you add to that the fact that the BT broadband system is based on an algorithm packet handled system to ensure data quality across maybe noisy telephone lines, it all compounds to add to the problems of the running of the femtocell.
    In other words if you have a highly error corrected and interleaved broadband line, it's not going to help the femtocell out by adding additional latency to what is already a fairly complicated situation where data handling is concerned....

  • Configuring SunScreen Firewall on Solaris 8

    Hi,
    I'm trying to configure SunScreen Firewall on Solaris 8 and i would like to know what is 'tcp/ip high ports" ? And i have to configure NAT also on the same machine so that few of the machines behind firewall can
    communicate to the Server host infront of firewall. And currently i've the configuration like this.
    -- Firewall is configured with single policy
    --And the Rules are added correctly for NAT.
    And after the policy is verified successfully, the communication is across the Firewall. But after this
    following rules are added to configure tcp/ip high ports.(not sure about the service).
    -- The rules are configured like this.
    edit> add rule common localhost * ALLOW COMMENT "Allow firewall access out"
    edit> add rule tcp-high-ports hme0.net * ALLOW
    edit> add rule udp-high-ports hme0.net * ALLOW
    Now i'm unable to communicate to the server infront of Firewall after policy is activated successfully.
    I would appreciate if someone can help me on this.
    Thanks,
    Mullapudi

    HI,
    i don't know sunscreen, but i can tell you that high-ports are ports above 1023.
    J

  • XI server ports on firewall

    Hi
    I am accessing the XI server which is behind a firewall. I have opened the XI server ports 3200,3300,3600 and 50000 in the firewall. But i am unable to access even the portal page(SXMB_IFR). We need to know what are all the ports we need to open in the firewall to get access for XI server.
    Regards
    Anandan

    Hi -
    When I mentioned "Integration Builder tools", this includes the Integration Repository and the Integration Directory.  You need this same port to use the J2EE Visual Admin tool.
    If you require FTP connections across the firewall (e.g. using FTP adapter), you'll need to take that into consideration.  At least ports 20 and 21 for the command and data port, possibly others depending on whether you use FTP in active or passive mode.  For XI on SP14 and below, only passive ftp connections are supported.  SP15 on supports active.
    Regards,
    Jin

  • Flash Chart Performance Problem behind Firewall

    I am running into an issue with running Flash based charts behind a firewall.
    Database: 11.1.0.6
    Apex: 3.1.2.00.02 (Using Oracle HTTP Server via Oracle Application Server)
    Flash: 3.1.2.00.02
    I have a page the displays a 2D Line graph with three data series. When I run the report directly against my app server (URL: [http://ecydblcyorwq06/public/f?p=128:11]
    where ecydblcyorwq06 is my app server) the chart displays just fine. In
    order for the public to access this page they must go through our
    firewall called fortress. So they start by accessing the system from [https://fortress.wa.gov/ecy/wplcsreports/,] which then maps to my application (128:1). The URL becomes [https://fortress.wa.gov/ecy/wplcsreports/public/f?p=128:1].
    When I try to run the chart through fortress it never renders. I just
    get the "Loading Data...Please Wait" progress bar. The progress bar
    moves very slowly and never returns the chart.
    My dads.conf looks like
    &lt;Location /public&gt;
    SetHandler                  pls_handler
    Order                       deny,allow
    Allow                       from all
    AllowOverride                  None
    PlsqlDatabaseUsername        APEX_PUBLIC_USER
    PlsqlDatabasePassword         xxxxxxxx
    PlsqlDatabaseConnectString  database_server:1521:my_sid     SIDFormat
    PlsqlAuthenticationMode       Basic
    PlsqlDefaultPage                  f?p=wplcs_online:permit_search
    PlsqlDocumentTablename     wwv_flow_file_objects$
    PlsqlDocumentPath             docs
    PlsqlDocumentProcedure     wwv_flow_file_mgr.process_download
    PlsqlNLSLanguage            AMERICAN_AMERICA.AL32UTF8
    &lt;/Location&gt;My Apache httpd.conf file looks like:
    &lt;VirtualHost *&gt;
    ServerName wplcsreports
    RewriteEngine On
    RewriteRule ^/$ /public/f?p=wplcs_online:permit_search [R]
    DocumentRoot /www/pls/apex
    #RewriteLog "E:\product\10.1.3.1\OracleAS_1\Apache\Apache\logs\rewrite.log"
    #RewriteLogLevel 9
    Port 80
    &lt;/VirtualHost&gt;The Apache access logs have a couple entries like this:
    198.239.146.15 - - --30/Sep/2008:10:49:30 -0700--
    "GET
    /i/flashchart/2DLine.swf?XMLFile=http://wplcsreports/public/apex_util.flash?p=128:11:5145826667904515:FLOW_FLASH_CHART_R4278912739418628_en-us
    HTTP/1.1" 304 -
    198.239.146.15 - - --30/Sep/2008:10:59:02 -0700--
    "GET
    /i/flashchart/2DLine.swf?XMLFile=http://wplcsreports/public/apex_util.flash?p=128:11:761140423223754:FLOW_FLASH_CHART_R4278912739418628_en-us
    HTTP/1.1" 200 80216Is there something that I need to do from the configuration standpoint
    to make the chart work across the firewall? Do I need to do something
    with the Virtual host definition so that the XML file works properly?
    Tony

    Alright, I have modified my DAD to include the following line:
    PlsqlCGIEnvironmentList HTTP_HOST=fortress.wa.gov/ecy/wplcsreports:80
    I restarted the OHS and how I get an XML error in the chart region.
    XML Loading Failed: http://fortress.wa.gov/ecy/wplcsreports/public/apex_util.flash?p=128:11:......The thing I noticed here is that the failed URL is not HTTPS, but HTTP instead. I am guessing this is the current problem. So I went back to my httpd.conf file and tried to add the request_method directive to my virtual host definition, but this just caused the OHS restart to fail.
    httpd.conf
    <VirtualHost *>
    ServerName wplcsreports
    RewriteEngine On
    RewriteRule ^/$ /public/f?p=wplcs_online:permit_search [R]
    DocumentRoot /www/pls/apex
    #RewriteCond %{REQUEST_METHOD} ^TRACE
    Port 80
    </VirtualHost>So how do I force the XML file loading to be under the HTTPS protocol?
    Tony

  • Cisco Transparent firewall and cisco switch issues.

    Dears,
    I have a very plain scenario
     LAN cisco switch <2 vlans>  ----------> cisco transparent firwall with bvi interface ------------>  crypto box ---------> cisco router ------ <remote/other site>
    i have vlan 61 configured on bvi interface of firewall, crypto box and also on the switch port and vlan of 61 is up up .
    The issue is i can connect remotely to cisco transparent firewall but cannot ping or connect to cisco switch. ???????????
    Need to know some trobuleshooting tips and basic settings that i need to verify. I simply want lan switch with 2 vlans to pass through the cisco transparent firewall and go to other site/remote site.

    Well,
    i have put the inspection icmp turned on for the sessions , and the version i am using is 9.1 
    moreover, i have put u p the ACLs for inbound and outboudn traffic, and while i ping across the firewall from the inside interface towards outside interface PC, i can see packet counts increasing on the acl , during the show access-llist command.
    i have requested the client to verify his part. do let me know further tips if you have any.
    [ moreover we cannot try to use packet-tracer from cli in transparent mode ]

  • Windows server firewall blocking active directory authentication?

    I'm having problems with authenticating macs on our windows 2003 server domain. When windows firewall is activated, mac clients(10.4) can no longer login. I've tried opening a number of ports e.g.TCP/UDP 53. UDP 464. but no luck. Any ideas which ports are necessary for the AD plugin to work properly?
    Thanks.
    macpro   Mac OS X (10.4.8)   1gb ram

    Why are you enabling Windows firewall on a domain controller?
    My recommendation is to turn it off and protect your entire site with a hardware firewall. The ports you need to open up are the very ones you should be blocking from the world to prevent attacks.
    Short of that:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767 -a9166368434e&displaylang=en
    User Login and Authentication
    A user network logon across a firewall uses the following:
    • Microsoft-DS traffic (445/tcp, 445/udp)
    • Kerberos authentication protocol (88/tcp, 88/udp)
    • Lightweight Directory Access Protocol (LDAP) ping (389/udp)
    • Domain Name System (DNS) (53/tcp, 53/udp)
    Computer Login and Authentication
    A computer logon to a domain controller uses the following:
    • Microsoft-DS traffic (445/tcp, 445/udp)
    • Kerberos authentication protocol (88/tcp, 88/udp)
    • LDAP ping (389/udp)
    • DNS (53/tcp, 53/udp)
    Access File Resource
    File access uses SMB over IP (445/tcp, 445/udp).
    Perform a DNS Lookup
    To perform a DNS lookup across a firewall ports 53/tcp and 53/udp must be open. DNS is used for name resolution and supports other services such as the domain controller locator
    ...

  • RMI across a firwall

    Does anyone have any experience with trying to get RMI to work across the firewall? If so what ports do I need to open to transfer data down and any problems you have had.
    thanks.

    The standard RMI Port is 1099, you'll need to open that up. I have used some crazy "not exactly endorsed by Sun" thing that did RMI over HTTP, but I am not even sure you can get that now. A google search might turn something up.
    Hope that helped
    Lee

Maybe you are looking for