[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 801
  • Last Modified:

Broadcast on port 224

hi there,

i hav recently setup a Netware 6.5 cluster consisting of 2 machines.. for testing.

All seems to be working ok although my firewall has now started to indicate a broadcast from one of the nodes on Port 224 that occurs every 60 seconds.

If it was a keepalive between the nodes i would have expected it much more often. It wouldnt bother me but its really filling up my logs and the firewall is also indicating it as Malformed or unhandled.

any ideas what this is?
0
huziy
Asked:
huziy
  • 3
  • 3
  • 3
  • +1
1 Solution
 
PsiCopCommented:
Hmmm.... I think the default Heartbeat interval is 2 seconds, not 60.

SPX used to broadcast every 60 seconds...but that's an IPX-based protocol, not IP.

Is the server generating this traffic an SLP DA? Is it a timeserver? What other services does it run?

When the clustered Resource migrates, does the source of the broadcasts change?
0
 
dotENGCommented:
I would go with PsiCop, maybe it's the SLP multicast on target address (not port) 224.x.x.x
Try sniffing with "MS Network Monitor", post your result.
0
 
ShineOnCommented:
Yes, there's a difference between "broadcast on port 224" and multicast, which uses the 224 "network."  

TCP/UDP Port 224 is a "well-known port" for "masqdialer" which is a *nix thing for "remote control of masqueraded dialup links."  I don't think NetWare uses it for anything.
0
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

 
huziyAuthor Commented:
hi there..

ok.. i loaded up our network monitoring software and i can see a broadcast from this server on port 224 every 1 secs.. so this obviously is the heartbeat.

I restarted the server that held the master IP address for the cluster (the one sending out these broadcasts) and obviously the other node took on this heartbeat role... This server then also started to show up in the firewall..!

I will need to get onto Sonicwall to determine how to filter just this broadcast out of my logs..
0
 
ShineOnCommented:
I wouldn't think a "heartbeat" between cluster nodes would be broadcast, and the default cluster port is 7023, unless you changed it to 224 when you installed cluster services.  Since you aren't aware of having set the cluster port to 224, then I'd say it's not so "obviously" the heartbeat/keepalive.

Are you absolutely certain that you're seeing a broadcast on port 224, and not a multicast?  SLP SA's (Server Agent) belong to  multicast group address 224.0.1.22 - is that what you're seeing?  When an SA or UA first starts up (and each server automatically has both) it will multicast looking for services.  An SA will multicast for a DA, while a UA will multicast on its local segment looking for responses from SA's.   The DA multicast address is 224.0.1.35 - is the server multicasting to that address?  If so, it's the SA trying to find a DA.  If it's to 224.0.1.22, then it's the UA looking for a response from SA's.

However, once they've found what they need, they shouldn't keep looking, which makes me suspect your SLP configuration.

I would think, if it's a failover cluster, that the SLP multicast would switch from the formerly active server to the newly active server.  If you don't want your servers multicasting SLP, then you have to configure your SLP to use SLP.CFG so the cluster nodes will unicast to the DA.  If you don't have a DA, and haven't configured SLP, the multicast will keep happening - the services have to make themselves known somehow, and with SLP they aren't broadcast like SAPs were.
0
 
huziyAuthor Commented:
I am using Network Instruments' Observer and looking at the packets from the source ip address to the 10.0.255.255 address (we are using a 10.0.0.0/16 network)

Observer indicates it is a broadcast and it occurs every second

i cannot recall changing the port to 224 although the packet capture does show the protocol to be 224

i have a DA configured in the SLP.cfg on both servers.

other stuff from the packet capture

Frame Network Size 98
Differential time 0.988529
Ip length 80
TTL 128
Protocol 224

any thoughts!?!
0
 
dotENGCommented:
HI,
Definitely cluster heartbeat.

224 is 0xE0

Check this one:
http://support.novell.com/cgi-bin/search/searchtid.cgi?10071158.htm

Look at the first IP line.
0
 
dotENGCommented:
Some more clustering background:
Even though this is an old document (2003), it provides some good info,

http://support.novell.com/cgi-bin/search/searchtid.cgi?10053882.htm
0
 
ShineOnCommented:
Oh.  IP *PROTOCOL* 224.  Again, that's different from IP *PORT* 224.  Way different.

If you can filter out the reporting from the firewall so the heartbeat isn't logged, that'd be best, IMHO.  The protocol 224 packets are broadcast by the master node to the local segment only, so the firewall shouldn't care.
0
 
huziyAuthor Commented:
sorry getting my Protocols and Ports mixed up..

looking into the firewall.. thanks for confirming..
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now