On 2006-04-27 04:06, Matt wrote:
Hi,
I'm doing a nightly dump of a number of hosts on my network through a
PIX firewall. Each morning i find the same hosts fail with the common
"estimate timeout issue" which usually indicates a firewall problem. If
i immediately run a dump of one of the failed hosts by itself it works
fine ! Its only when i run a bunch together ! Could it be the PIX is
not managing to keep state on all the traffic ? I'm backing up FreeBSD
hosts.. The interesting point is the FreeBSD6 servers never fail !
Here are some interesting differences in sysctl values..
FreeBSD4
net.inet.ip.portrange.first: 1024
net.inet.ip.portrange.last: 5000
FreeBSD6
net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.last : 65535
I have tried adjusting the values but it doesn't seem to make any
difference.. It possibly has absolutely nothing to do with it..
Not relevant indeed, I believe.
Some thoughts on this problem would be appreciated..
The estimate phase goes as follows: the server sends a UDP packet
to the client, containing the DLE's and levels that need to be estimated.
The client makes the estimates for each DLE (that could be up to
three estimates for each disk: level 0, level N, and level N+1).
In Amanda 2.4.4 the result was packed in a UDP packet and sent back
when all the estimates were done. Since Amanda 2.4.5 the client now
sends a "partial result" back whenever a new DLE-lvl is estimated.
The problem with firewalls is that UDP is "connection oriented": there
is no way to see when the communication stops (TCP has handshaking which
the firewall can use for the state of a connectin). Firewalls usually
just allow some time between request and answer. All the UDP packets
arriving after that timeout are dropped.
So in Amanda 2.4.4 and earlier, the time between request and answer
can be very long. In Amanda 2.4.5 there is at least some intermediate
traffic (for each DLE) that keeps the timer from expiring.
I have no experience with a PIX firewall, but from some other posts
I remember that the default timeout is 40 seconds. If possible, you
should increase that.
A complete different option is to resort to the faster (but less
accurate) mechanisms with the dumptype option:
estimate client|calcsize|server
client: what you are using now
calcsize: a faster program, but less accurate
server: estimates based on statisics calculated by the server
takes less than a second (but could be way off).
See also:
http://wiki.zmanda.com/index.php/Amdump:_results_missing
--
Paul Bijnens, xplanation Technology Services Tel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512
http://www.xplanation.com/ email: Paul.Bijnens AT xplanation DOT com
***********************************************************************
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***********************************************************************
|
