Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Firewall Problem?

2003-12-30 11:17:17
Subject: RE: Firewall Problem?
From: donald.ritchey AT exeloncorp DOT com
To: gaustin AT w-sys.co DOT uk
Date: Tue, 30 Dec 2003 08:43:50 -0600 
Geoff:

See the Amanda archives for the general discussions of using portrange and 
udp-portrange while configuring Amanda.  We us it here for backups through 
firewalls and have good success with it.

For example, we setup Amanda with the following statements in our Amanda 
config shell scripts and set the firewalls to pass those port ranges 
between the Amanda server and any client machines (but just those clients 
and the server, not generally open to all comers).

        --with-portrange=50000,50040 --with-udpportrange=890,899

Our firewall rules look something like:

>From amandaserver              to amandaclients        UDP     890-899
permit
>From amandaserver              to amandaclients        TCP     50000-50040
permit

>From amandaclients     to amandaserver UDP     890-899 permit
>From amandaclients     to amandaserver TCP     50000-50040     permit

It may not be strictly necessary for both directions to be specified in the 
firewall rules, but it works for us.

Check with your firewall/network administrator to see if she/he has any 
preferred port ranges for you to use.  We picked the ones above based on 
our firewall admin's observations that nothing else was using those ranges 
around here.

Of course, your mileage may vary....

Good luck and best wishes for a Happy New Year,

Donald L. (Don) Ritchey
E-mail:  Donald.Ritchey AT exeloncorp DOT com


-----Original Message-----
From: Geoff Austin [mailto:gaustin AT w-sys.co DOT uk]
Sent: Tuesday, December 30, 2003 4:44 AM
To: amanda-users AT amanda DOT org
Subject: Firewall Problem?


I started using Amanda a few weeks ago to backup 7 systems, all is well
except for 3 systems. 

During every nightly dump three boxes fail with the message:

        FAILURE AND STRANGE DUMP SUMMARY:
          mail       hda2 lev 0 FAILED [Estimate timeout from mail]
          mail       hda1 lev 0 FAILED [Estimate timeout from mail]
          dns        hda2 lev 0 FAILED [Estimate timeout from dns]
          dns        hda1 lev 0 FAILED [Estimate timeout from dns]
          app        //fnp/geoff lev 0 FAILED [no backup size line]

One of these is a windows box and it seems to be a problem with Samba,
but I'm not too worried about that for the moment. The other two are
both Linux boxes and the only difference between these two boxes and the
other successful boxes is that they are on the other side of a firewall.

So immediately I assume its the firewall that's the problem, but I have
managed to successfully run a test dump with amanda for one of the two
machines. I set up a test that commented out everything but mail & dns
in the disk file and then mail dumped ok, but dns still failed.

They are both running identical versions of Linux.

I have snipped a section of the log from the mail machine that looks to
be the offending section:

        hda1 0 SIZE 12701
        hda1 1 SIZE 4163
        hda2 0 SIZE 5617335
        hda2 2 SIZE 419676
        ----
 

        amandad: time 142.165: dgram_recv: timeout after 10 seconds
        amandad: time 142.165: waiting for ack: timeout, retrying
        amandad: time 152.165: dgram_recv: timeout after 10 seconds
        amandad: time 152.165: waiting for ack: timeout, retrying
        amandad: time 162.165: dgram_recv: timeout after 10 seconds
        amandad: time 162.165: waiting for ack: timeout, retrying
        amandad: time 172.165: dgram_recv: timeout after 10 seconds
        amandad: time 172.165: waiting for ack: timeout, retrying
        amandad: time 182.165: dgram_recv: timeout after 10 seconds
        amandad: time 182.165: waiting for ack: timeout, giving up!
        amandad: time 182.165: pid 6081 finish time Tue Dec 30 00:35:02
        2003
        
If I had to make a guess, it would be that it's a communication problem
through the firewall, but I am confused by the fact that it does work
sometime in a standalone test mode. I'm hoping that this is a known
problem and that I just have open a port on the firewall or something
similar.

Can anybody cast some light?

Many Thanks,

Geoff





************************************************************************
This e-mail and any of its attachments may contain Exelon Corporation
proprietary information, which is privileged, confidential, or subject 
to copyright belonging to the Exelon Corporation family of Companies. 
This e-mail is intended solely for the use of the individual or entity 
to which it is addressed.  If you are not the intended recipient of this 
e-mail, you are hereby notified that any dissemination, distribution, 
copying, or action taken in relation to the contents of and attachments 
to this e-mail is strictly prohibited and may be unlawful.  If you have 
received this e-mail in error, please notify the sender immediately and 
permanently delete the original and any copy of this e-mail and any 
printout. Thank You.
************************************************************************
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: problems with amrecover, Jon LaBadie
Next by Date:  Re: dump to tape failed - how to diagnose?, Jon LaBadie
Previous by Thread:  Firewall Problem?, Geoff Austin
Next by Thread:  RE: Firewall Problem?, Geoff Austin
Indexes:  [Date] [Thread] [Top] [All Lists]