Veritas-bu

[Veritas-bu] NetBackup and Checkpoint Firewall

2003-02-06 10:58:11
Subject: [Veritas-bu] NetBackup and Checkpoint Firewall
From: richard.hall AT ingenta DOT com (Richard.Hall)
Date: Thu, 6 Feb 2003 15:58:11 +0000 (GMT)
Dale,

Welcome to the club ...

On Wed, 5 Feb 2003, Kramer, Dale wrote:

> Solaris 8
> Netbackup 4.5
>
> I have a system in our internal DMZ.  I can backup this system fine
> but I cannot restore to this system.  It's not the ports as the
> firewall is wide open for this system.  What I found out was that
> NetBackup opens a TCP connection to use for the restore.  Then the
> process finds the correct tape, mounts the tape, positions the tape,
> and then searches for the right image.  This can take multiple
> minutes.  In the meantime the opened TCP connection has only seen a 3
> way handshake with no actual data being passed.  Checkpoint has a
> "hidden" timer used for this situation with a default value of 60
> seconds. So by the time NetBackup is ready to pass data the timeout
> has kicked in.  So you get the message in the restore log of data not
> being restored and a listing of files.  This timeout is suppose to be
> in the objects.C file in Checkpoint but our firewall guy can't find
> it.  Anybody know where it is?

Fortunately I kept my previous answer ...

On Mon, 5 Aug 2002, Richard.Hall wrote:
[...]
> > Had exactly the same problem.
[...]
> > it boils down to
> >
> > - NBU establishes a connection through the f/w
> > - NBU does not send any data
> > - FW1 closes the connection after a fairly short timeout (1 minute?)
> >
> > Note that this is a timeout on _initial_ data; once any data has been sent
> > a much longer timeout applies.
> >
> > On the rare occasions we need to restore, we get round it by increasing
> > this timeout massively and reloading the f/w. Not pretty.
> >
> > I'll try to dig out the details tomorrow (nag me if I forget!), or you can
> > hunt on www.phoneboy.com (IIRC)
>
> We apparently change tcpstarttimeout in objects.C from its default value
> (60) to something silly, just for the duration of the restoration.  YMMV.
>
> If anyone knows a saner way of solving this ...??

(N.B. we're not on an up-to-date FW-1 release, so this may have changed)

HTH,
 Richard

> thanx,
> dale
>
> Dale P. Kramer
> Senior Systems Administrator
> STERIS Corporation
> 5960 Heisley Rd.
> Mentor, OH 44060
> 440-392-7082
>
> Good news is just life's way of keeping you off balance.