HACMP Persistent IP blacklisted

aixromeo · April 6, 2011, 2:42am

Hi,

I want to use the service IP incase for any network activity rather than the persistent IP as the Persistent IP is blacklisted in our network. Is there any way
to make the service ip as LPARs default IP to be used as the lpars source IP incase it pings anything or acceses any external machine?

Or is there a workaround for this?

Thanx

zxmaus · April 6, 2011, 7:13am

Where is the sense in this - the service IP adresses are meant to talk to your resourcegroups no matter on which node they are running. If you want to talk to the node you obviously cannot use them as they will be only there when the resource group is on the node - if you failover the resource group than it would be the other node and I do not think that is what you want.

Regards
zxmaus

aixromeo · April 6, 2011, 7:21am

Thanks zxmaus for the reply,

Could you guide me to some good hacmp links? I'll be obliged

Regards, aixromeo

PS: Preferably related to networks and Hacmp

zxmaus · April 6, 2011, 9:45am

Hello,

there are certain redbooks on the IBM site - I personally like this one most.

Regards
zxmaus

aixromeo · April 7, 2011, 1:39am

Ok let me rephrase the problem.

Its a production system.
I configured 1 persistant and 1 service per node address. When Clients (users) requests the active node using its service address the client receive the response with no problem.

When the communication is initiated by the node to other servers behind a firewall, no communication established. My interpretation is when the node initiates communication, it use the persistent the persistent address instead of the service one. On the firewall, only the service IP address is allowed so the trafic with the peristant address is blocked.
Is there a workaround?

Regards,

bakunin · April 7, 2011, 7:48am

Actually this should not be the case. What is the output of "netstat -rn" ? And what is the output of "lsattr -El inet0"?

bakunin

gus2000 · April 7, 2011, 1:03pm

The obvious answer is to open the firewall. That said...

Routing is generally straightforward. If the target address matches a local route, use it. If not, use the default route.

In this case, your default route (or your primary routes) should always use the Service IP address for outbound communication. Since it does not, I'm going to assume that a) you're using IP address aliasing for your Service IP, and b) the Persistent address is on the same subnet as the Service.

If there are multiple local addresses on the same subnet, then the source address used could be either of them. This gets even trickier when they're both aliases on the same adapter, since TCP will just use the first address it finds as the source address, and order is not guaranteed.

As a test, try "route get <ipaddress>" where the <ipaddress> is a remote machine. It will show what route would be used to contact that particular address, and why.

So the real solution is to put the Persistent address on a unique subnet, but then you've got a whole new set of routing problems to solve.