Networker

Re: [Networker] client backups through firewall disconnecting after 2 hours!

2007-09-05 22:32:54
Subject: Re: [Networker] client backups through firewall disconnecting after 2 hours!
From: Peter Viertel <Peter.Viertel AT MACQUARIE DOT COM>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Thu, 6 Sep 2007 12:27:48 +1000
That sounds very much like the right solution...     Where this needs
doing is on the NetWorker server because it's a tcp connection from the
server to the client that sits idle throughout each saveset and when a
saveset takes longer than 2 hours it gets dropped, not so important to
change on the client unless its got seriously slow filesystems. 

If you want proof - there will be something in the firewall logs about
the packets being dropped just at the time the backup session finished.

> -----Original Message-----
> From: EMC NetWorker discussion 
> [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On Behalf Of Stuart Whitby
> Sent: Thursday, 6 September 2007 2:33 AM
> To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
> Subject: Re: [Networker] client backups through firewall 
> disconnecting after 2 hours!
> 
> Your other option for fixing this (maybe) is to drop the 
> TCP_KEEPALIVE_INTERVAL (Solaris - there'll be similar in 
> Windows) to a smaller interval - 15 minutes, say.  It's set 
> by default to 2 hours (7200000 ms) in Solaris.  Setting this 
> lower will get TCP to check that the port on the other side 
> is still accessible, initiating traffic which will reset the 
> firewall's timeout .... timers.
>  
> HTH,
>  
> Stuart.
> 
> ________________________________
> 
> From: EMC NetWorker discussion on behalf of mark wragge
> Sent: Wed 05/09/2007 16:45
> To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
> Subject: Re: [Networker] client backups through firewall 
> disconnecting after 2 hours!
> 
> 
> 
> Thanks for the info. We have one checkpoint firewall and one 
> Cisco Pix. SOunds like this is the cause of the problem.
> 
> "Marcelo H. Bartsch" <mbartsch AT UNIX911.ATH DOT CX> wrote:  Mark, 
> wich firewall brand? AFAIK Cisco PIX's had a timeout for
> established connections wich seems to be something like 1 or 
> 2 hours per
> default.
> 
> 
> 
> On Wed, 2007-09-05 at 15:20 +0100, mark wragge wrote:
> > hi, i have inherited a backup of clients through a firewall 
> using firewall rules already configured. I have three clients 
> that backup through the firewall using the existing rules. 
> All three clients fail after approx 2 hours. The smaller 
> savesets on these clients complete successfully. The two 
> windows clients always fail at the same time (2 hours - 5 
> savesets 13gb completed). The unix client fails around the 
> same time but can sometimes backup about 25gb before failing.
> >
> > How can i determine if the cause of failure is related to 
> the fact that these clients go through a firewall? There are 
> no error messages on the firewall logs during the time that 
> the backup occurs or at the time that the backup stops.
> >
> > How can i determine if the cause of failure is related to 
> the number of firewall ports that are open on the client. The 
> open ports are 7937-7941and this is set using nsrports (these 
> ports and rules were determined by previous engineer from 
> EMC). The daemon.log shows no error - it says backup done and 
> then restarts the saveset.
> >
> > Is it the firewall disconnecting the client backup OR are 
> the networker services failing? We used to think that there 
> was someting wrong with the filesystem on one client but now 
> that we have added two more clients with the same errror it 
> appears that the common link is the firewall.
> >
> > Thanks for any help, Mark
> >
> > Send instant messages to your online friends 
> http://uk.messenger.yahoo.com <http://uk.messenger.yahoo.com/> 
> >
> > To sign off this list, send email to 
> listserv AT listserv.temple DOT edu and type "signoff networker" in 
> the body of the email. Please write to 
> networker-request AT listserv.temple DOT edu if you have any 
> problems with this list. You can access the archives at 
> http://listserv.temple.edu/archives/networker.html or
> > via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
> 
> To sign off this list, send email to 
> listserv AT listserv.temple DOT edu and type "signoff networker" in 
> the body of the email. Please write to 
> networker-request AT listserv.temple DOT edu if you have any 
> problems with this list. You can access the archives at 
> http://listserv.temple.edu/archives/networker.html or
> via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
> 
> 
>  Send instant messages to your online friends 
> http://uk.messenger.yahoo.com <http://uk.messenger.yahoo.com/> 
> 
> To sign off this list, send email to 
> listserv AT listserv.temple DOT edu and type "signoff networker" in 
> the body of the email. Please write to 
> networker-request AT listserv.temple DOT edu if you have any 
> problems with this list. You can access the archives at 
> http://listserv.temple.edu/archives/networker.html or
> via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
> 
> 
> 
> To sign off this list, send email to 
> listserv AT listserv.temple DOT edu and type "signoff networker" in 
> the body of the email. Please write to 
> networker-request AT listserv.temple DOT edu if you have any 
> problems with this list. You can access the archives at 
> http://listserv.temple.edu/archives/networker.html or
> via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
> 

NOTICE
This e-mail and any attachments are confidential and may contain copyright 
material of Macquarie Bank or third parties. If you are not the intended 
recipient of this email you should not read, print, re-transmit, store or act 
in reliance on this e-mail or any attachments, and should destroy all copies of 
them. Macquarie Bank does not guarantee the integrity of any emails or any 
attached files. The views or opinions expressed are the author's own and may 
not reflect the views or opinions of Macquarie Bank.

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER