HACMP / Multipath routing - Aix

This is a discussion on HACMP / Multipath routing - Aix ; Hi, Today I ran into an issue with HACMP & WebsphereMQ. Connections we're being dropped on the firewall, due to the fact that the source IP address of one of the HACMP nodes was alternating between the persistent & the ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: HACMP / Multipath routing

  1. HACMP / Multipath routing

    Hi,

    Today I ran into an issue with HACMP & WebsphereMQ.
    Connections we're being dropped on the firewall, due to the fact that
    the source IP address of one of the HACMP nodes was alternating
    between the persistent & the service address. As the firewall was only
    configured to pass the service address, no connection could be
    established.

    Problems seems to be 'multipath routing'. When a server has more than
    one IP address in the same subnet, AIX will use all addresses for
    communication with the outside world. It leaves it up the software
    component running on top of AIX/HACMP, to make sure the 'sender
    address' is the address we want to use (normally service address). If
    the software component does not set this, the actual IP address is
    used as source address (sender).
    HACMP documentation and various posting here & there show that adding
    static routes to the system can be implemented as a solution. But if
    my searching & testing was correct, this can only be done on the
    interface level and not on a per alias level. In my scenario, both the
    service & the persistent address are aliases.

    Problem can be solved on the WebsphereMQ side (normally a simple
    LOCLADDR setting in the channels definition, but a little more
    complicated on MQ clustering and it involves creating an channel
    auto-definition exit), but I'm looking into solving it on the
    AIX/HACMP side. (Information above was provided by the MQ administrators).

    So basicly, I am looking for a way to make sure that connection to
    host1 is always done via a local IP address 'local1', which is an
    alias on the same physical interface as another IP address 'local2' on
    the same interface and subnet.
    Hope there is anyone to help me out in this one ...


    Regards,
    Mark


  2. Re: HACMP / Multipath routing

    Mark schrieb:
    > Hi,
    >
    > Today I ran into an issue with HACMP & WebsphereMQ.
    > Connections we're being dropped on the firewall, due to the fact that
    > the source IP address of one of the HACMP nodes was alternating
    > between the persistent & the service address. As the firewall was only
    > configured to pass the service address, no connection could be
    > established.
    >
    > Problems seems to be 'multipath routing'. When a server has more than
    > one IP address in the same subnet, AIX will use all addresses for
    > communication with the outside world. It leaves it up the software
    > component running on top of AIX/HACMP, to make sure the 'sender
    > address' is the address we want to use (normally service address). If
    > the software component does not set this, the actual IP address is
    > used as source address (sender).
    > HACMP documentation and various posting here & there show that adding
    > static routes to the system can be implemented as a solution. But if
    > my searching & testing was correct, this can only be done on the
    > interface level and not on a per alias level. In my scenario, both the
    > service & the persistent address are aliases.
    >
    > Problem can be solved on the WebsphereMQ side (normally a simple
    > LOCLADDR setting in the channels definition, but a little more
    > complicated on MQ clustering and it involves creating an channel
    > auto-definition exit), but I'm looking into solving it on the
    > AIX/HACMP side. (Information above was provided by the MQ administrators).
    >
    > So basicly, I am looking for a way to make sure that connection to
    > host1 is always done via a local IP address 'local1', which is an
    > alias on the same physical interface as another IP address 'local2' on
    > the same interface and subnet.
    > Hope there is anyone to help me out in this one ...
    >
    >
    > Regards,
    > Mark
    >

    Hi

    I'm not sure if this solves your problem, but you may think about to configure
    HACMP with a "Collocate with persistent ip address" policy. This assures that
    your service ip address will always be configured on the same interface as is
    configured with the persistant ip address. A consequence of this policy is, that
    your source ip address of responds to request to the HACMP service network will
    *always* be the persistent ip address.

    For sure the drawback of this policy is, that you have no "load balancing"
    across two service net adapters any more, but your second adapter in this
    network functions really like a "standby" adapter.

    Regards,
    Uwe Auer


  3. Re: HACMP / Multipath routing

    On 2 Jun, 21:28, "Mark" wrote:
    > Hi,
    >
    > Today I ran into an issue with HACMP & WebsphereMQ.
    > Connections we're being dropped on the firewall, due to the fact that
    > the source IP address of one of the HACMP nodes was alternating
    > between the persistent & the service address. As the firewall was only
    > configured to pass the service address, no connection could be
    > established.
    >
    > Problems seems to be 'multipath routing'. When a server has more than
    > one IP address in the same subnet, AIX will use all addresses for
    > communication with the outside world. It leaves it up the software
    > component running on top of AIX/HACMP, to make sure the 'sender
    > address' is the address we want to use (normally service address). If
    > the software component does not set this, the actual IP address is
    > used as source address (sender).
    > HACMP documentation and various posting here & there show that adding
    > static routes to the system can be implemented as a solution. But if
    > my searching & testing was correct, this can only be done on the
    > interface level and not on a per alias level. In my scenario, both the
    > service & the persistent address are aliases.
    >
    > Problem can be solved on the WebsphereMQ side (normally a simple
    > LOCLADDR setting in the channels definition, but a little more
    > complicated on MQ clustering and it involves creating an channel
    > auto-definition exit), but I'm looking into solving it on the
    > AIX/HACMP side. (Information above was provided by the MQ administrators).
    >
    > So basicly, I am looking for a way to make sure that connection to
    > host1 is always done via a local IP address 'local1', which is an
    > alias on the same physical interface as another IP address 'local2' on
    > the same interface and subnet.
    > Hope there is anyone to help me out in this one ...


    Technically the easiest way is either to change the firewall to allow
    the persistent address (noting that address based security is liable
    to spoofing) or to change the persistent address so that it is on a
    different subnet to the service address.

+ Reply to Thread