This works beautifully. We found 2 object.C files and first modified the wrong
one. Once we got it right the restore worked. Thanks Richard for pointing me
in the right direction.
dale
-----Original Message-----
From: Richard.Hall [mailto:richard.hall AT ingenta DOT com]
Sent: Thursday, February 06, 2003 1:15 PM
To: Clater_A
Cc: veritas-bu AT mailman.eng.auburn DOT edu
Subject: RE: [Veritas-bu] NetBackup and Checkpoint Firewall
On Thu, 6 Feb 2003, Clater_A wrote:
> Can this be configured dynamically, or does it require a re-install?
AIUI you have to reinstall the f/w policy for changes in objects.C to take
effect. But I'm no FW-1 expert - I just got lumbered when our expert was
de-ployed.
HTH,
Richard
> ac
>
> -----Original Message-----
> From: Richard.Hall [mailto:richard.hall AT ingenta DOT com]
> Sent: Thursday, February 06, 2003 10:58 AM
> To: Kramer, Dale
> Cc: veritas-bu AT mailman.eng.auburn DOT edu
> Subject: Re: [Veritas-bu] NetBackup and Checkpoint Firewall
>
>
> Dale,
>
> Welcome to the club ...
>
> On Wed, 5 Feb 2003, Kramer, Dale wrote:
>
> > Solaris 8
> > Netbackup 4.5
> >
> > I have a system in our internal DMZ. I can backup this system fine
> > but I cannot restore to this system. It's not the ports as the
> > firewall is wide open for this system. What I found out was that
> > NetBackup opens a TCP connection to use for the restore. Then the
> > process finds the correct tape, mounts the tape, positions the tape,
> > and then searches for the right image. This can take multiple
> > minutes. In the meantime the opened TCP connection has only seen a 3
> > way handshake with no actual data being passed. Checkpoint has a
> > "hidden" timer used for this situation with a default value of 60
> > seconds. So by the time NetBackup is ready to pass data the timeout
> > has kicked in. So you get the message in the restore log of data not
> > being restored and a listing of files. This timeout is suppose to be
> > in the objects.C file in Checkpoint but our firewall guy can't find
> > it. Anybody know where it is?
>
> Fortunately I kept my previous answer ...
>
> On Mon, 5 Aug 2002, Richard.Hall wrote:
> [...]
> > > Had exactly the same problem.
> [...]
> > > it boils down to
> > >
> > > - NBU establishes a connection through the f/w
> > > - NBU does not send any data
> > > - FW1 closes the connection after a fairly short timeout (1 minute?)
> > >
> > > Note that this is a timeout on _initial_ data; once any data has been
> sent
> > > a much longer timeout applies.
> > >
> > > On the rare occasions we need to restore, we get round it by increasing
> > > this timeout massively and reloading the f/w. Not pretty.
> > >
> > > I'll try to dig out the details tomorrow (nag me if I forget!), or you
> can
> > > hunt on www.phoneboy.com (IIRC)
> >
> > We apparently change tcpstarttimeout in objects.C from its default value
> > (60) to something silly, just for the duration of the restoration. YMMV.
> >
> > If anyone knows a saner way of solving this ...??
>
> (N.B. we're not on an up-to-date FW-1 release, so this may have changed)
>
> HTH,
> Richard
>
> > thanx,
> > dale
> >
> > Dale P. Kramer
> > Senior Systems Administrator
> > STERIS Corporation
> > 5960 Heisley Rd.
> > Mentor, OH 44060
> > 440-392-7082
> >
> > Good news is just life's way of keeping you off balance.
>
>
> _______________________________________________
> Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
> _______________________________________________
> Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
_______________________________________________
Veritas-bu maillist - Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
|
