triphen
asked on
Can't access MySQL (port# 33061) behind USG Pro
Hello everyone,
I have a weird issue that I can't seem to figure out.
I have 2 MySQL instances on AWS that, while testing, are accepting requests from anywhere (0.0.0.0/0) on port 33061 and 3306 respectively. That is to say MySQL# 1 is using port 33061 and MySQL# 2 is using port 3306 from anywhere.
From behind my USG Pro I can only access MySQL# 2 port 3306. MySQL# 1 port 33061 returns this error "Could not open connection to the host, on port 33061: Connect failed"
From other machines outside of my network, I can access both the MySQL#1 and #2 instances. This leads me to believe that something is blocking outbound accessing on port 33061 on my USG Pro. But looking at all of the configs I can't seem to figure out what is causing this. I have no outbound firewall rules in place AFAIK, everything is open outbound. What else might be going on?
IPS/IDS is not turned on. Only DPI is turned on.
Thanks in advance.
I have a weird issue that I can't seem to figure out.
I have 2 MySQL instances on AWS that, while testing, are accepting requests from anywhere (0.0.0.0/0) on port 33061 and 3306 respectively. That is to say MySQL# 1 is using port 33061 and MySQL# 2 is using port 3306 from anywhere.
From behind my USG Pro I can only access MySQL# 2 port 3306. MySQL# 1 port 33061 returns this error "Could not open connection to the host, on port 33061: Connect failed"
From other machines outside of my network, I can access both the MySQL#1 and #2 instances. This leads me to believe that something is blocking outbound accessing on port 33061 on my USG Pro. But looking at all of the configs I can't seem to figure out what is causing this. I have no outbound firewall rules in place AFAIK, everything is open outbound. What else might be going on?
IPS/IDS is not turned on. Only DPI is turned on.
Thanks in advance.
ASKER
Sorry I am not familiar with this command "tcptraceroute / tcptrace to port 33061"
Can you please elaborate?
Yes I am aware of AWS's firewall and temporarily I have 33061 open to 0.0.0.0/0
Can you please elaborate?
Yes I am aware of AWS's firewall and temporarily I have 33061 open to 0.0.0.0/0
traceroute uses UDP un Unix, optionaly ICMP
traceroute uses ICMP on Windows.
You need to test for tcp protocol and where it goes & stops.
tcptraceroute or tcptrace(unix) or TCPTRACE.EXE (windows) can be downloaded and used to verify TCP links like traceroute does using UDP & ICMP.
More info:
http://www.tcptrace.org/
https://github.com/mct/tcptraceroute
traceroute uses ICMP on Windows.
You need to test for tcp protocol and where it goes & stops.
tcptraceroute or tcptrace(unix) or TCPTRACE.EXE (windows) can be downloaded and used to verify TCP links like traceroute does using UDP & ICMP.
More info:
http://www.tcptrace.org/
https://github.com/mct/tcptraceroute
ASKER
I downloaded the tcptrace tool....how do I use this thing? lol
Port 33061 is an oddball port + likely blocked by default.
Get into your device + allow TCP on port 33061 + likely problem will resolve.
Tip: On a related note, running multiple mysql instances inside the same namespace is tricky. Any minor slip up where both instances interact with the same backing store (/var/lib/mysql by default), means all your data there will instantly be corrupted in ways which can be near impossible to debug.
What you're doing is very old school + no longer required.
Just run each MySQL instance in a separate LXD container, so backing stores for each instance run in a separate namespace (LXD file system).
Get into your device + allow TCP on port 33061 + likely problem will resolve.
Tip: On a related note, running multiple mysql instances inside the same namespace is tricky. Any minor slip up where both instances interact with the same backing store (/var/lib/mysql by default), means all your data there will instantly be corrupted in ways which can be near impossible to debug.
What you're doing is very old school + no longer required.
Just run each MySQL instance in a separate LXD container, so backing stores for each instance run in a separate namespace (LXD file system).
ASKER
Thanks!
I am not very familiar with UniFi.
I would need to do this under Settings > Routing & Firewall > Firewall > WAN OUT?
I would need to create a Port Group for 33061 TCP?
I did that and still not working :(
I am not very familiar with UniFi.
I would need to do this under Settings > Routing & Firewall > Firewall > WAN OUT?
I would need to create a Port Group for 33061 TCP?
I did that and still not working :(
ASKER
Any other thoughts on this? Still cant access the port.
tcptrace -? or -h.....
tcptrace ip.ad.re.ss
tcptrace ip.ad.re.ss
ASKER
It's nto an IP, it's an FQDN.
When I put tcptrace FQDN I get this:
C:\Users\User\Desktop\New folder>tcptrace name.591nilutdgdbi.us-west -1.rds.ama zonaws.com
1 arg remaining, starting with 'name.591nilutdgdbi.us-wes t-1.rds.am azonaws.co m'
Ostermann's tcptrace -- version 6.6.0 -- Tue Nov 4, 2003
stat: No such file or directory
When I put tcptrace FQDN I get this:
C:\Users\User\Desktop\New folder>tcptrace name.591nilutdgdbi.us-west
1 arg remaining, starting with 'name.591nilutdgdbi.us-wes
Ostermann's tcptrace -- version 6.6.0 -- Tue Nov 4, 2003
stat: No such file or directory
stat is the subroutine to get data for a filename filesize etc.)
dit you try: tcptace -h of tcptrace -?
dit you try: tcptace -h of tcptrace -?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
(you may need to install the tool).
You are aware that AWS also has a firewall, that may need to eb setup?.