syangloo
asked on
Urgent! Port not allow other rang of network IP to connect?
Dear All,
I'm using port number 1414 at UNIX server for other server app (MQ Series) connection. Previously it work for the different rang of IP (That mean AS/400 server MQ can connect to the UNIX MQ with port number 1414), but now since this first week of the month it not allow other rang of IP server connect to the port at UNIX server. But other servers which in 172 rang of IP still can connect to the UNIX server (that means other servers in 172 rang of IP, it can connect to the port 1414).
AS/400 server with IP 128.x.xxx.xx
UNIX Server with 172.xx.x.xx
Below is the error log from broker server at /var/adm/syslog
Oct 3 14:56:12 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 14:56:12 2003
Oct 3 14:57:12 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 14:57:12 2003
Oct 3 14:58:13 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 14:58:13 2003
Oct 3 14:59:13 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 14:59:13 2003
Oct 3 15:04:16 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 15:04:16 2003
Oct 3 15:04:35 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 15:04:35 2003
Oct 3 15:06:14 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 15:06:14 2003
At AS/400 I try to ping the channel via the wrkmqm -> channel menu, I getting the error message as per below:
Additional Message Information
Message ID . . . . . . : AMQ9208 Severity . . . . . . . : 30
Message type . . . . . : Diagnostic
Date sent . . . . . . : 03/10/03 Time sent . . . . . . : 18:47:44
Message . . . . : Error on receive from host EAI_PROD (172.xx.x.xx).
Cause . . . . . : An error occurred receiving data from EAI_PROD
(172.xx.x.xx) over TCP/IP. This may be due to a communications failure.
Recovery . . . : The return code from the TCP/IP (read) call was 3426
(X'X'00000D62''). Record these values and tell the systems administrator.
Previously my PC is in 172 ringed of IP, but after the network segmentation at our LAN. My PC IP change to 130 rang of IP, and now I facing the same problem with the AS/400 server. I can't connect to the queue manager with the port number 1414.
I have been discussing with my network support, they say the IP setting at the Server Room is not change (AS/400 and UNIX server is in the server room).
I have try to stop start the inetd services at UNIX server, but the result still the same. But the AS/400 queue manager can connect to the queue manager at UNIX server with other port number like 1415 (same as my PC).
What is the cause of this problem and any other solution or setting I need to check with my network support?
Regards
Syangloo
I'm using port number 1414 at UNIX server for other server app (MQ Series) connection. Previously it work for the different rang of IP (That mean AS/400 server MQ can connect to the UNIX MQ with port number 1414), but now since this first week of the month it not allow other rang of IP server connect to the port at UNIX server. But other servers which in 172 rang of IP still can connect to the UNIX server (that means other servers in 172 rang of IP, it can connect to the port 1414).
AS/400 server with IP 128.x.xxx.xx
UNIX Server with 172.xx.x.xx
Below is the error log from broker server at /var/adm/syslog
Oct 3 14:56:12 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 14:56:12 2003
Oct 3 14:57:12 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 14:57:12 2003
Oct 3 14:58:13 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 14:58:13 2003
Oct 3 14:59:13 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 14:59:13 2003
Oct 3 15:04:16 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 15:04:16 2003
Oct 3 15:04:35 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 15:04:35 2003
Oct 3 15:06:14 eai_prod inetd[29899]: MQSeries/tcp: Access denied for
cc_prod (128.X.XXX.XXX) at Fri Oct 3 15:06:14 2003
At AS/400 I try to ping the channel via the wrkmqm -> channel menu, I getting the error message as per below:
Additional Message Information
Message ID . . . . . . : AMQ9208 Severity . . . . . . . : 30
Message type . . . . . : Diagnostic
Date sent . . . . . . : 03/10/03 Time sent . . . . . . : 18:47:44
Message . . . . : Error on receive from host EAI_PROD (172.xx.x.xx).
Cause . . . . . : An error occurred receiving data from EAI_PROD
(172.xx.x.xx) over TCP/IP. This may be due to a communications failure.
Recovery . . . : The return code from the TCP/IP (read) call was 3426
(X'X'00000D62''). Record these values and tell the systems administrator.
Previously my PC is in 172 ringed of IP, but after the network segmentation at our LAN. My PC IP change to 130 rang of IP, and now I facing the same problem with the AS/400 server. I can't connect to the queue manager with the port number 1414.
I have been discussing with my network support, they say the IP setting at the Server Room is not change (AS/400 and UNIX server is in the server room).
I have try to stop start the inetd services at UNIX server, but the result still the same. But the AS/400 queue manager can connect to the queue manager at UNIX server with other port number like 1415 (same as my PC).
What is the cause of this problem and any other solution or setting I need to check with my network support?
Regards
Syangloo
ASKER
Dear jmcg,
Before this problem happen the AS/400 ip is 128.xx.xxx.xxx and it working fine with the port.
In the host file we also included the 128.xxx.xxx.xxx ip address at the early stage. AS/400 can ping the 128 ip address.
Currently i configure the port 1414 at the inetd.conf, just run mq command for the queue manager to listen the port 1414 only.
How to check the -w flag on inetd process? if i grep the indet process it show below info:
ps004101 8833 6711 1 10:43:06 pts/1 0:00 grep inetd
root 11394 1 0 Oct 19 ? 0:00 /usr/sbin/inetd -l
Is this what you want me to check? Sorry for i not the network expert.
What is you next suggestion?
Thanks you for looking into my problem.
Regards
Syangloo
Before this problem happen the AS/400 ip is 128.xx.xxx.xxx and it working fine with the port.
In the host file we also included the 128.xxx.xxx.xxx ip address at the early stage. AS/400 can ping the 128 ip address.
Currently i configure the port 1414 at the inetd.conf, just run mq command for the queue manager to listen the port 1414 only.
How to check the -w flag on inetd process? if i grep the indet process it show below info:
ps004101 8833 6711 1 10:43:06 pts/1 0:00 grep inetd
root 11394 1 0 Oct 19 ? 0:00 /usr/sbin/inetd -l
Is this what you want me to check? Sorry for i not the network expert.
What is you next suggestion?
Thanks you for looking into my problem.
Regards
Syangloo
Well, I know nothing about AS/400, so we're not necessarily going to be able to find out the problem between us; we'll just have to give it our best try.
It looks like the only flag your inetd is running with is a logging flag. I probably now need to ask what flavor and version of UNIX you are running.
Can you show me the line in inetd.conf that sets up services on port 1414?
Can you check to see if there is a file named /etc/hosts.allow that includes configuration lines for the MQseries service? Can you show me the relevant lines, if there are any?
It looks like the only flag your inetd is running with is a logging flag. I probably now need to ask what flavor and version of UNIX you are running.
Can you show me the line in inetd.conf that sets up services on port 1414?
Can you check to see if there is a file named /etc/hosts.allow that includes configuration lines for the MQseries service? Can you show me the relevant lines, if there are any?
ASKER
Dear jmcg
We not set any MQ services in the hosts file but we did it at services file.
I not set the port 1414 at the inetd.conf yet, below is the setting for port 1600.
In Services file
MQSeries 1600/tcp #MQSeries prod port listener
In inetd.conf for MQ
MQSeries stream tcp nowait mqm /opt/mqm/bin/amqcrsta amqcrsta -m QM.BK.KL.001
I can't find the hosts.allow file in the etc directory. i only can find the hosts file with below info.
-rwxr-xr-x 1 root sys 1331 Oct 22 09:33 /etc/hosts
$ model
9000/800/N4000-75
regards
syangloo
We not set any MQ services in the hosts file but we did it at services file.
I not set the port 1414 at the inetd.conf yet, below is the setting for port 1600.
In Services file
MQSeries 1600/tcp #MQSeries prod port listener
In inetd.conf for MQ
MQSeries stream tcp nowait mqm /opt/mqm/bin/amqcrsta amqcrsta -m QM.BK.KL.001
I can't find the hosts.allow file in the etc directory. i only can find the hosts file with below info.
-rwxr-xr-x 1 root sys 1331 Oct 22 09:33 /etc/hosts
$ model
9000/800/N4000-75
regards
syangloo
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, i get the file. it have been amended by someone. I'll check it out first.
Regards
Syangloo
Regards
Syangloo
ASKER
Dear jmcg,
I have added the AS/400 IP address into the file, now the MQ can connect to UNIX servers via port 1600.
Now my question is; I can't see other server IP address in the inetd.sec file. But other servers still can connect to the port.
What IP address we need to add into this file?
Do we need to include all the servers?
Can it set for the range of IP?
Without setting the IP address in the file, other server can connect to the this unix server via 1600?
In UAT unix server, the inetd.sec is not specifying any IP address for MQSeries/ not MQSERIES in the file also.
In Development unix server, it just specifies MQSERIES allow, MQSERIES1 allow and MQSERIES2 allow only
That means if we not specify any IP address in the inetd.sec file, any servers can connect to the port via the port define in the services file?
I need some expert advise for this issue before we make any changes.
Regards
Loo
I have added the AS/400 IP address into the file, now the MQ can connect to UNIX servers via port 1600.
Now my question is; I can't see other server IP address in the inetd.sec file. But other servers still can connect to the port.
What IP address we need to add into this file?
Do we need to include all the servers?
Can it set for the range of IP?
Without setting the IP address in the file, other server can connect to the this unix server via 1600?
In UAT unix server, the inetd.sec is not specifying any IP address for MQSeries/ not MQSERIES in the file also.
In Development unix server, it just specifies MQSERIES allow, MQSERIES1 allow and MQSERIES2 allow only
That means if we not specify any IP address in the inetd.sec file, any servers can connect to the port via the port define in the services file?
I need some expert advise for this issue before we make any changes.
Regards
Loo
I'm afraid I may not be sufficiently expert in how HP-UX interprets its inetd.sec file to give you a reliable answer; as I said, I've never worked with this particular aspect of that OS. All I would be doing is reading the inetd.sec manpage from the accessible documentation.
ASKER
Thanks jmcq
jmcg,
Do you have experience wrapping the amqcrsta process in inetd.conf. We are attempting this on an AIX queue manager and we cannot get the channel to start after wrapping. We have added the appropriate IP address into hosts.allow. Following is the line from the inetd.conf file:
MQSeries stream tcp nowait mqm /usr/local/sbin/tcpd /usr/lpp/mqm/bin/amqcrsta amqcrsta -m NAERPT03
If you have any comments or suggestions I would appreciate it.
Thanks,
Rendron
Do you have experience wrapping the amqcrsta process in inetd.conf. We are attempting this on an AIX queue manager and we cannot get the channel to start after wrapping. We have added the appropriate IP address into hosts.allow. Following is the line from the inetd.conf file:
MQSeries stream tcp nowait mqm /usr/local/sbin/tcpd /usr/lpp/mqm/bin/amqcrsta amqcrsta -m NAERPT03
If you have any comments or suggestions I would appreciate it.
Thanks,
Rendron
Sorry, I've no relevant experience. Try asking as a new question, though. That way, you'll get the attention of all the experts.
According to the syslog entries you've shown, it's inetd that is denying access. There are a number of rather different versions of inetd around, but one common form implements a rudimentary type of firewall protection called TCP wrappers. The usual configuration file for these wrappers is in the file /etc/hosts.allow.
Therefore, the next things you might want to check is whether there is a -w flag on your inetd process,
whether tcpd is specified for handling port 1414 in the file /etc/inetd.conf, and what the configuration for that service is in /etc/hosts.allow. You may need an additional entry in /etc/hosts.allow to permit access by the host at 128.xxx.xxx.xxx.