Firewall interferences on Linux OS Agent communication
Albook 120000625S Visits (7515)
In an environment where the network communications are managed through a boundary firewall, we know we must take in consideration some specific steps to allow agents communicating with TEMS, if this is on the other side of the firewall.
There are lot of good technotes around describing the ports that must be opened to have agents properly communicating with TEMS and WPA, and also the ITM installation guide manuals are a good source of information about this matter.
Recently I worked on a scenario where an agent was unable to connect TEMS in case the local firewall is enabled.
By local firewall I mean the firewall installed on the Linux OS agent server, not the network boundary firewall.
Despite the well-known ports (1918, 3660, 1920, and others) were opened, the Linux OS agent was not able to reach TEMS and was failing with:
Anyway the most important element I found in the log is the message:
This is issued just before the above communication failure.
This warning message is known to be associated with two possible scenarios:
1) loopback interface is down: you can check it using command
When the interface is down, you DO NOT see the line:
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
in the ifconfig output.
In this case you just need to run command:
2) loopback interface is up but the command "ping localhost" fails because into /etc/hosts file there is no line
for localhost address resolution.
In this case you just need to verify you have the line:
in the /etc/hosts file.
If it is not there, you just need to add it and save the hosts file.
In my scenario, I verified both the options above, they were OK and the ping localhost was working OK, but agent was still failing to connect and the warning message still issued.
The problem was clearly related to firewall because turning it down, agent was able to connect.
In this kind of scenario, next steps must be to check the firewall rules.
Local Linux firewall is based on iptables, so I checked the output of iptables -S for loopback interface or localhost IP address.
Looking at the iptables output I noticed that the iptables rules were filtering out any activity on localhost/loopback interface and this is the reason why the agent is issuing such message and not connecting to TEMS.
In case no one of the previous rules match, iptables applies the last one that drop everything:
-A INPUT -j DROP
The only one related to localhost only accepts icmp and this would explain why the ping was working fine:
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p icmp -m icmp --icmp-type 8 -m state --state NEW,
But any other activity on the interface with address 127.0.0.1 is filtered out.
Usually, on Linux OS agent where the iptables is active, you must have a role like:
-A INPUT -i lo -j ACCEPT
We added this rule in the INPUT chain; it must be placed before the -A INPUT -j DROP because iptables evaluates the rule starting from the beginning and applies the action for the first one that matches
A restart of the agent confirmed that the problem was fixed as it was able to connect to TEMS also with firewall enabled.
So, in case you are experiencing similar scenarios, always consider the chance that the local firewall may have a role in failing communication with TEMS; it can happen also if well-known ports are allowed in case packets for loopback interface are instead filtered out.
I know about scenarios where the aforementioned Warning messages and communication errors messages are not written in the agent RAS1 log when loopback interface is blocked by iptables.
This occurs because one of the agent threads hangs while trying to bind the loopback interface, thus blocking some other communication threads that depend on it. In this case the agent never attempts to connect TEMS, so the failing message is not issued at all.
So the suggestion is: always have a look at the roles defined for the local firewall if you are running Linux OS Agent and this is not connecting to TEMS, it can depends on loopback interface !
Hope it helps.
Subscribe and follow us for all the latest information directly on your social feeds: