Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Veritas-bu] NetBackup and Checkpoint Firewall

2003-02-06 11:05:41
Subject: [Veritas-bu] NetBackup and Checkpoint Firewall
From: Clater_A AT bls DOT gov (Clater_A)
Date: Thu, 6 Feb 2003 11:05:41 -0500 
Can this be configured dynamically, or does it require a re-install?

ac

-----Original Message-----
From: Richard.Hall [mailto:richard.hall AT ingenta DOT com]
Sent: Thursday, February 06, 2003 10:58 AM
To: Kramer, Dale
Cc: veritas-bu AT mailman.eng.auburn DOT edu
Subject: Re: [Veritas-bu] NetBackup and Checkpoint Firewall


Dale,

Welcome to the club ...

On Wed, 5 Feb 2003, Kramer, Dale wrote:

> Solaris 8
> Netbackup 4.5
>
> I have a system in our internal DMZ.  I can backup this system fine
> but I cannot restore to this system.  It's not the ports as the
> firewall is wide open for this system.  What I found out was that
> NetBackup opens a TCP connection to use for the restore.  Then the
> process finds the correct tape, mounts the tape, positions the tape,
> and then searches for the right image.  This can take multiple
> minutes.  In the meantime the opened TCP connection has only seen a 3
> way handshake with no actual data being passed.  Checkpoint has a
> "hidden" timer used for this situation with a default value of 60
> seconds. So by the time NetBackup is ready to pass data the timeout
> has kicked in.  So you get the message in the restore log of data not
> being restored and a listing of files.  This timeout is suppose to be
> in the objects.C file in Checkpoint but our firewall guy can't find
> it.  Anybody know where it is?

Fortunately I kept my previous answer ...

On Mon, 5 Aug 2002, Richard.Hall wrote:
[...]
> > Had exactly the same problem.
[...]
> > it boils down to
> >
> > - NBU establishes a connection through the f/w
> > - NBU does not send any data
> > - FW1 closes the connection after a fairly short timeout (1 minute?)
> >
> > Note that this is a timeout on _initial_ data; once any data has been
sent
> > a much longer timeout applies.
> >
> > On the rare occasions we need to restore, we get round it by increasing
> > this timeout massively and reloading the f/w. Not pretty.
> >
> > I'll try to dig out the details tomorrow (nag me if I forget!), or you
can
> > hunt on www.phoneboy.com (IIRC)
>
> We apparently change tcpstarttimeout in objects.C from its default value
> (60) to something silly, just for the duration of the restoration.  YMMV.
>
> If anyone knows a saner way of solving this ...??

(N.B. we're not on an up-to-date FW-1 release, so this may have changed)

HTH,
 Richard

> thanx,
> dale
>
> Dale P. Kramer
> Senior Systems Administrator
> STERIS Corporation
> 5960 Heisley Rd.
> Mentor, OH 44060
> 440-392-7082
>
> Good news is just life's way of keeping you off balance.


_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Veritas-bu] NetBackup and Checkpoint Firewall, Richard.Hall
Next by Date:  [Veritas-bu] NetBackup and Checkpoint Firewall, Richard.Hall
Previous by Thread:  [Veritas-bu] NetBackup and Checkpoint Firewall, Richard.Hall
Next by Thread:  [Veritas-bu] NetBackup and Checkpoint Firewall, Richard.Hall
Indexes:  [Date] [Thread] [Top] [All Lists]