Richard,
 Just a shot in the dark; but do by chance employ any type of intrusion
prevention? By design it will allow the connection thru the firewall to
the target IP, then assesses the traffic for suspicious behavior.

Here I had the exact situation, and seeing as the clients would connect
to the TSM Server I quickly dismissed the firewall. The clients would
start a session and within seconds disconnect. Finally, at my wits end I
contacted our network team, a rule was added to the intrusion prevention
system the issue was resolved. 

~Rick


-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Richard Rhodes
Sent: Monday, February 06, 2012 6:47 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: [ADSM-L] Firewall problem

Hi Everyone,

We have six TSM v5.5.5 instances (on AIX)  named TSM1 to TSM6.   All six
instances  handle backups for nodes that are  behind firewalls, although
only five work.  The six instances are on separate servers, so each has
it's own  IP address and firewall rules.  The firewall rules are all
identical so we can put any node on any TSM server.

We cannot get firewall backups to work to our TSM5 instance.  Since it
was
brought up a couple years ago we have fought to get firewall backups to
work but have failed.  Nodes out behind a firewall are able to contact
the
TSM server, a sessions is established, then it is immediately
disconnected.  This repeats over and over as the node retries.  You can
sometimes see 50 or more sessions - all hung - for a firewalled node.
We've done everything we can think of:  check/double/triple checked FW
rules, talked with IBM support, run traces for them, check AIX setup,
checked TSM5 setup, compared anything related to TSM5 to the other
working
instances.  If we move the node to one of our other TSM instances it
worked just fine!! In all, we firgured this HAD to be a firewall setup
problem of some kind.

This past weekend we move TSM5 (and TSM6 also) to new servers/lpars.
The
new servers had to have new IP addresses and run a newer AIX v6.  We've
done this upgrade for the other TSM servers already.  With new IP
addresses we had to create new FW rules.  We figured that with a whole
new
setup FW backups would have to work - we're kicking it real hard!!!!
NOPE
- it didn't help!   The only thing that didn't change in this server
swing
was the actual TSM instance.  It seems our FW backup problem on this one
instance HAS to be in TSM itself.

Question:  Is there any setting in TSM that could explain failing
backups
for firewalled servers?

Thanks

Rick






-----------------------------------------
The information contained in this message is intended only for the
personal and confidential use of the recipient(s) named above. If
the reader of this message is not the intended recipient or an
agent responsible for delivering it to the intended recipient, you
are hereby notified that you have received this document in error
and that any review, dissemination, distribution, or copying of
this message is strictly prohibited. If you have received this
communication in error, please notify us immediately, and delete
the original message.