Topic
  • 7 replies
  • Latest Post - ‏2011-11-03T16:47:54Z by RDzJohn
scottpecnik
scottpecnik
15 Posts

Pinned topic Can't connect to z/OS from external network

‏2011-10-27T20:55:56Z |
I'm having a problem getting to my z/OS box from outside my LAN. I've went with Scenario #4 for setting up TCP/IP, where both linux and z/OS share eth0 but have their own IP. From within my LAN, I am able to use zOS' dedicated IP and connect to it with PCOMM on port 23, FTP on 21, SSH on 22, RSE on 4035 and on and on. I have forwarded these ports from within my router to z/OS' dedicated IP, but for some reason I am unable to get through. I also have ports being forwarded to the linux box which work just fine from outside the LAN (such as VNC).

Has anybody else ran into an issue like this? I don't think it has anything to do with the Linux firewall since it shouldn't be intercepting connections going directly to z/OS. I have ruled this out anyway by turning of the Linux firewall all together.

At this point I'm kind of stumped, any suggestions that anyone might have would be great.

Thanks,

Scott Pecnik
ClearBlade
Updated on 2011-11-03T16:47:54Z at 2011-11-03T16:47:54Z by RDzJohn
  • scottpecnik
    scottpecnik
    15 Posts

    Re: Can't connect to z/OS from external network

    ‏2011-11-03T07:26:30Z  
    I'm still stuck on this. Tonight I even plugged in a different router just to rule out yet another variable. Same result, am able to get to z/OS from the LAN, but not outside via forwarded ports. I'm looking deeper at the different TCP/IP network configurations and seeing a lot of work with iptables. Has anybody had to edit iptables when using TCP/IP scenario #4? It doesn't make sense to me that you would have to, but at this point I'm not leaving anything to question.

    On that note, has anybody done what I'm trying to do with Scenario #4, that is forward ports to the z/OS IP with it successfully recognizing and accepting the connections?

    Thanks,
    Scott Pecnik
    ClearBlade
  • RDzJohn
    RDzJohn
    272 Posts

    Re: Can't connect to z/OS from external network

    ‏2011-11-03T11:41:32Z  
    I'm still stuck on this. Tonight I even plugged in a different router just to rule out yet another variable. Same result, am able to get to z/OS from the LAN, but not outside via forwarded ports. I'm looking deeper at the different TCP/IP network configurations and seeing a lot of work with iptables. Has anybody had to edit iptables when using TCP/IP scenario #4? It doesn't make sense to me that you would have to, but at this point I'm not leaving anything to question.

    On that note, has anybody done what I'm trying to do with Scenario #4, that is forward ports to the z/OS IP with it successfully recognizing and accepting the connections?

    Thanks,
    Scott Pecnik
    ClearBlade
    I usually turn iptables off completely just to simplify things. Having said that, z/OS scenario 4 should not have any intersects with linux at all. Note that linux and z/OS don't "share" eth0. The "sharing" comes from the OSA adapter emulation inside UT. You also should have no need for any nat2 scripts or any other manipulation of linux to get z/OS on the network. The key to making things work is to make sure the ip address used by z/OS is active on the subnet the machine is connected to. Based on your description of the problem and your ability to reach z/OS from the network, it sounds like the ip address is not the problem. You must also make sure the ROUTE statements in the TCPIP.PROFILE datasets are correct. If you are trying to get beyond the first router from z/OS and the router itself does not have routing rules to enable this, you'll need additional routes on z/OS.

    RDzJohn
  • scottpecnik
    scottpecnik
    15 Posts

    Re: Can't connect to z/OS from external network

    ‏2011-11-03T14:57:33Z  
    • RDzJohn
    • ‏2011-11-03T11:41:32Z
    I usually turn iptables off completely just to simplify things. Having said that, z/OS scenario 4 should not have any intersects with linux at all. Note that linux and z/OS don't "share" eth0. The "sharing" comes from the OSA adapter emulation inside UT. You also should have no need for any nat2 scripts or any other manipulation of linux to get z/OS on the network. The key to making things work is to make sure the ip address used by z/OS is active on the subnet the machine is connected to. Based on your description of the problem and your ability to reach z/OS from the network, it sounds like the ip address is not the problem. You must also make sure the ROUTE statements in the TCPIP.PROFILE datasets are correct. If you are trying to get beyond the first router from z/OS and the router itself does not have routing rules to enable this, you'll need additional routes on z/OS.

    RDzJohn
    RDzJohn,

    Thanks for the help. At this point I'm thinking there must be something wrong with my routes. Here is what I have, hoping you can verify my thinking. For ETH1, 10.1.1.2 is the tunnel address. I'm not sure whether or not this address should show up when I do an ifconfig, but this is what I see.

    
    tap0      Link encap:Ethernet  HWaddr 5E:4E:9D:F8:0D:49 inet addr:10.1.1.1  Bcast:10.1.1.255  Mask:255.255.255.0 inet6 addr: fe80::5c4e:9dff:fef8:d49/64 Scope:Link UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:42 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:720 (720.0 b)  TX bytes:6883 (6.7 Kb)
    


    ETH2 is 192.168.1.149, which is the IP of z/OS. This is the IP I use to connect to it locally. For the routes, 192.168.1.1 is the DNS of the router, while 192.168.1.2 is where the router starts giving out IP's. The remaining ETH1 route is 10.0.0.0 simply because that's what's in the pdf's and I can't imagine my linux distro is any different :)

    
    DEVICE PORTA  MPCIPA LINK ETH1  IPAQENET PORTA HOME 10.1.1.2 ETH1 ; This second device is optional DEVICE PORTB    MPCIPA LINK ETH2 IPAQENET PORTB HOME 192.168.1.149 ETH2 BEGINRoutes ;     Destination   SubnetMask    FirstHop       LinkName  Size ROUTE 192.168.1.1 255.255.255.0       =        ETH2 MTU 1492 ROUTE 10.0.0.0    255.0.0.0           =        ETH1 MTU 1492 ROUTE DEFAULT                     192.168.1.2  ETH2 MTU 1492 ENDRoutes
    


    Is my thinking all wrong here?

    Scott Pecnik
    ClearBlade
  • RDzJohn
    RDzJohn
    272 Posts

    Re: Can't connect to z/OS from external network

    ‏2011-11-03T15:09:43Z  
    RDzJohn,

    Thanks for the help. At this point I'm thinking there must be something wrong with my routes. Here is what I have, hoping you can verify my thinking. For ETH1, 10.1.1.2 is the tunnel address. I'm not sure whether or not this address should show up when I do an ifconfig, but this is what I see.

    <pre class="jive-pre"> tap0 Link encap:Ethernet HWaddr 5E:4E:9D:F8:0D:49 inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0 inet6 addr: fe80::5c4e:9dff:fef8:d49/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:42 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:720 (720.0 b) TX bytes:6883 (6.7 Kb) </pre>

    ETH2 is 192.168.1.149, which is the IP of z/OS. This is the IP I use to connect to it locally. For the routes, 192.168.1.1 is the DNS of the router, while 192.168.1.2 is where the router starts giving out IP's. The remaining ETH1 route is 10.0.0.0 simply because that's what's in the pdf's and I can't imagine my linux distro is any different :)

    <pre class="jive-pre"> DEVICE PORTA MPCIPA LINK ETH1 IPAQENET PORTA HOME 10.1.1.2 ETH1 ; This second device is optional DEVICE PORTB MPCIPA LINK ETH2 IPAQENET PORTB HOME 192.168.1.149 ETH2 BEGINRoutes ; Destination SubnetMask FirstHop LinkName Size ROUTE 192.168.1.1 255.255.255.0 = ETH2 MTU 1492 ROUTE 10.0.0.0 255.0.0.0 = ETH1 MTU 1492 ROUTE DEFAULT 192.168.1.2 ETH2 MTU 1492 ENDRoutes </pre>

    Is my thinking all wrong here?

    Scott Pecnik
    ClearBlade
    Try these ROUTEs:

    ROUTE 192.168.1.0 255.255.255.0 = ETH2 MTU 1492
    ROUTE 10.1.1.0 255.255.255.0 = ETH1 MTU 1492
    ROUTE DEFAULT 192.168.1.1 ETH2 MTU 1492

    RDzJohn
  • scottpecnik
    scottpecnik
    15 Posts

    Re: Can't connect to z/OS from external network

    ‏2011-11-03T16:39:39Z  
    • RDzJohn
    • ‏2011-11-03T15:09:43Z
    Try these ROUTEs:

    ROUTE 192.168.1.0 255.255.255.0 = ETH2 MTU 1492
    ROUTE 10.1.1.0 255.255.255.0 = ETH1 MTU 1492
    ROUTE DEFAULT 192.168.1.1 ETH2 MTU 1492

    RDzJohn
    WOW! That worked like a charm. Would you mind explaining what I was doing wrong and why you suggested the changes that you did?

    Thanks!

    Scott Pecnik
    ClearBlade
  • RDzJohn
    RDzJohn
    272 Posts

    Re: Can't connect to z/OS from external network

    ‏2011-11-03T16:46:22Z  
    WOW! That worked like a charm. Would you mind explaining what I was doing wrong and why you suggested the changes that you did?

    Thanks!

    Scott Pecnik
    ClearBlade
    Sure.
    The first ROUTE says route all traffic destined for the 192.168.1 network to device ETH2. The distinction here this is a network route, not a device route. The second ROUTE says route all traffic for the 10.1.1 network to device ETH1. Same note as above. Lacking any other ROUTEs for 10. networks, the ROUTE you had for ETH1 would work. The one I suggested is more specific for the network in use. This will be corrected in future versions of the pubs. The third ROUTE says lacking specific device routing instructions, we will use the ETH1 device first, and we will use 192.168.1.1 as the first hop (the default route) to get there.

    RDzJohn
  • RDzJohn
    RDzJohn
    272 Posts

    Re: Can't connect to z/OS from external network

    ‏2011-11-03T16:47:54Z  
    • RDzJohn
    • ‏2011-11-03T16:46:22Z
    Sure.
    The first ROUTE says route all traffic destined for the 192.168.1 network to device ETH2. The distinction here this is a network route, not a device route. The second ROUTE says route all traffic for the 10.1.1 network to device ETH1. Same note as above. Lacking any other ROUTEs for 10. networks, the ROUTE you had for ETH1 would work. The one I suggested is more specific for the network in use. This will be corrected in future versions of the pubs. The third ROUTE says lacking specific device routing instructions, we will use the ETH1 device first, and we will use 192.168.1.1 as the first hop (the default route) to get there.

    RDzJohn
    sigh... The last ref should be to ETH2 . The ETH2 device is the default device to be routed to.

    RDzJohn