commvault.com commvault.com
Question

Connection attempts from AIX clients to CV infrastructure

  • 26 January 2024
  • 5 replies
  • 82 views
M
Rank
Badge +3

Hello Commvault Community,

 

We have this situation:

On the switches, there are many attempts to connect agents with OS AIX installed to the Commvault infrastructure (the customer reported mainly that connections are being made to an air-gapped).

The environment has OneWay Firewall configured (not by topology but on group properties). There are two large groups: the 'Client Servers' group containing all production agents, and the 'Commvault servers' group containing all Commvault infrastructure (except the air-gap server, which does not participate in backups). On these groups a Network Route is configured, on Client Servers the Commvault Servers group is added as RESTRICTED and on the Commvault Servers group the Client Servers group is added as BLOCKED.
That is, it is the CV Infrastructure that should maintain a one-way tunnel with the production agents, not the other way around.

Unfortunately, for some reason AIX clients (only AIX, because in the logs of several Windows doesn’t show these errors in cvfwd.log) - are trying to establish a connection to Commserve and, interestingly, the Media Agent acting as a air-gap, which doesn’t participate in any way in the backups (it only serves as a target for the replica).

Below, for example, a snippet from the cvfwd.log of the client1 server (client on AIX):
You can see attempts to connect to media_agent (air-gap), to which conceptually - nothing should connect.
These attempts are often generated every minute, by x servers - which causes quite a load on the production switches.

 

 

Why these connection attempts are being made (what might be the reason)?

 

Thanks,

Michał

 

5 replies

Pearl
Rank
Badge +1

Hello @Michal Osewski, Could you please share the FwConfig.txt contents from commvault installation base folder of any AIX client to see how this is configured. 

Also, please share the network summary contents from any of the client machine Client > Properties > Network Configuration  > network summary tab and share the snips/contents.

M
Rank
Badge +3

Hello,

Below Network Summary from AIX_client and AIX_client2 clients. Both of these AIX servers have connection attempts.

 

=================================

AIX_client:
"# WARNING! This file is automatically generated! Do not make any changes


1. to this file, instead edit firewall settings in the Java GUI, or, if you
2. would like to make manual adjustments, put them into FwConfigLocal.txt


[general]
keepalive_interval00
tunnel_init_interval0
force_incoming_https=0
lockdown=1
proxy=0
bind_open_ports_only=0

  1. This section describes tunnel server port and the list of additional
  2. incoming ports that may be open and used to set up efficient data transfer

[incoming]
tunnel_ports03
1. This section describes outgoing routes

[outgoing]
AIX_client FREL1 remote_guid.10C3F3-3FA5-4629-B6BE-F47471DFAAAC type=passive
AIX_client client1 remote_guidc99DF0C-F4FC-4637-9311-C1BABA912EA6 type=passive
AIX_client client2 remote_guidI780CF1-9259-4B86-90D1-61C6BC2BD015 type=passive
AIX_client cs1_DRbackup remote_guidD5EE41-66CC-4DE3-B5B8-3EA69D1B16EA type=persistent proto=httpsa cvfwdźK-CS1.url.address.pl:8408 extraports00-8699
AIX_client cs2_DRbackup remote_guid8CEA52A-0CD7-4010-B1EB-A4E2C549D467 type=persistent proto=httpsa cvfwdźK-CS2.url.address.pl:8408 extraports00-8699
AIX_client FREL2 remote_guidś8DDAAC-022E-4E9C-A830-B7A8BBB95431 type=passive
AIX_client MediaAgent1 remote_guidî9312FD-A143-465C-9FDE-5A71C2004C86 type=passive
AIX_client MediaAgent2 remote_guidA9AC1B-2171-48E9-B639-099BF4BB9955 type=passive
AIX_client cs1 proxyźk-cs01_DR remote_guidNEEBA0C-6B7E-4A81-AFF3-18E6B9069F94
AIX_client cs1 proxyźk-cs02_DR remote_guidNEEBA0C-6B7E-4A81-AFF3-18E6B9069F94"


AIX_client2:
"# WARNING! This file is automatically generated! Do not make any changes
1. to this file, instead edit firewall settings in the Java GUI, or, if you
2. would like to make manual adjustments, put them into FwConfigLocal.txt
[general]
keepalive_interval00
tunnel_init_interval0
force_incoming_https=0
lockdown=1
proxy=0
bind_open_ports_only=0

  1. This section describes tunnel server port and the list of additional
  2. incoming ports that may be open and used to set up efficient data transfer

[incoming]
tunnel_ports03
1. This section describes outgoing routes

 

[outgoing]
AIX_client2 FREL1 remote_guid.10C3F3-3FA5-4629-B6BE-F47471DFAAAC type=passive
AIX_client2 client1 remote_guidc99DF0C-F4FC-4637-9311-C1BABA912EA6 type=passive
AIX_client2 client2 remote_guidI780CF1-9259-4B86-90D1-61C6BC2BD015 type=passive
AIX_client2 cs1_DRbackup remote_guidD5EE41-66CC-4DE3-B5B8-3EA69D1B16EA type=persistent proto=httpsa cvfwdźK-CS01.url.address.pl:8408 extraports00-8699
AIX_client2 cs2_DRbackup remote_guid8CEA52A-0CD7-4010-B1EB-A4E2C549D467 type=persistent proto=httpsa cvfwdźK-CS02.url.address.pl:8408 extraports00-8699
AIX_client2 FREL2 remote_guidś8DDAAC-022E-4E9C-A830-B7A8BBB95431 type=passive
AIX_client2 MediaAgent1 remote_guidî9312FD-A143-465C-9FDE-5A71C2004C86 type=passive
AIX_client2 MediaAgent2 remote_guidA9AC1B-2171-48E9-B639-099BF4BB9955 type=passive
AIX_client2 cs1 proxyźk-cs01_DR remote_guidNEEBA0C-6B7E-4A81-AFF3-18E6B9069F94
AIX_client2 cs1 proxyźk-cs02_DR remote_guidNEEBA0C-6B7E-4A81-AFF3-18E6B9069F94"

=================================

 

I have asked the customer to extract the FwConfig.txt file from the AIX servers - as soon as I get it I will include it in the next message.

 

Regards,

Michał

 

 

M
Rank
Badge +3

Hello,

I paste the FWConfig log from AIX server (AIX_client) which regularly reports unsuccessful connections.

 

=================================

# WARNING! This file is automatically generated! Do not make any changes
# to this file, instead edit firewall settings in the Java GUI, or, if you
# would like to make manual adjustments, put them into FwConfigLocal.txt

[general]
keepalive_interval=300
tunnel_init_interval=30
force_incoming_https=0
lockdown=1
proxy=0
bind_open_ports_only=0

# This section describes tunnel server port and the list of additional
# incoming ports that may be open and used to set up efficient data transfer
[incoming]
tunnel_ports=8403


# This section describes outgoing routes
[outgoing]
AIX_client cs1 remote_guid=4EEEBA0C-6B7E-4A81-AFF3-18E6B9069F94 type=persistent proto=httpsa cvfwd=cs1.url.address.pl:8403 extraports=8600-8699 fallback=1
AIX_client cs1 proxy=cs1 remote_guid=4EEEBA0C-6B7E-4A81-AFF3-18E6B9069F94 fallback=1
AIX_client cs1 remote_guid=4EEEBA0C-6B7E-4A81-AFF3-18E6B9069F94 type=passive fallback=1
AIX_client cs1 proxy=FREL1 remote_guid=4EEEBA0C-6B7E-4A81-AFF3-18E6B9069F94 fallback=1
AIX_client cs1 proxy=MediaAgent2 remote_guid=4EEEBA0C-6B7E-4A81-AFF3-18E6B9069F94 fallback=1
AIX_client cs1 proxy=FREL2 remote_guid=4EEEBA0C-6B7E-4A81-AFF3-18E6B9069F94 fallback=1
AIX_client cs1 proxy=client3 remote_guid=4EEEBA0C-6B7E-4A81-AFF3-18E6B9069F94 fallback=1
AIX_client cs1 proxy=MediaAgent1 remote_guid=4EEEBA0C-6B7E-4A81-AFF3-18E6B9069F94 fallback=1
AIX_client FREL1 remote_guid=2E10C3F3-3FA5-4629-B6BE-F47471DFAAAC type=persistent proto=httpsa cvfwd=172.xx.176.x1:8403 extraports=8600-8699 fallback=1
AIX_client FREL2 remote_guid=B68DDAAC-022E-4E9C-A830-B7A8BBB95431 type=persistent proto=httpsa cvfwd=172.xx.176.x3:8403 extraports=8600-8699 fallback=1
AIX_client MediaAgent1 proxy=FREL1 remote_guid=EE9312FD-A143-465C-9FDE-5A71C2004C86 fallback=1
AIX_client MediaAgent1 proxy=client3 remote_guid=EE9312FD-A143-465C-9FDE-5A71C2004C86 fallback=1
AIX_client MediaAgent1 proxy=cs1 remote_guid=EE9312FD-A143-465C-9FDE-5A71C2004C86 fallback=1
AIX_client MediaAgent1 proxy=MediaAgent1 remote_guid=EE9312FD-A143-465C-9FDE-5A71C2004C86 fallback=1
AIX_client MediaAgent1 proxy=MediaAgent2 remote_guid=EE9312FD-A143-465C-9FDE-5A71C2004C86 fallback=1
AIX_client MediaAgent1 proxy=FREL2 remote_guid=EE9312FD-A143-465C-9FDE-5A71C2004C86 fallback=1
AIX_client MediaAgent1 remote_guid=EE9312FD-A143-465C-9FDE-5A71C2004C86 type=persistent proto=httpsa cvfwd=MediaAgent1.url.address.pl:8403 extraports=8600-8699 fallback=1
AIX_client MediaAgent2 proxy=MediaAgent2 remote_guid=9AA9AC1B-2171-48E9-B639-099BF4BB9955 fallback=1
AIX_client MediaAgent2 remote_guid=9AA9AC1B-2171-48E9-B639-099BF4BB9955 type=persistent proto=httpsa cvfwd=MediaAgent2.url.address.pl:8403 extraports=8600-8699 fallback=1
AIX_client MediaAgent2 proxy=FREL1 remote_guid=9AA9AC1B-2171-48E9-B639-099BF4BB9955 fallback=1
AIX_client MediaAgent2 proxy=FREL2 remote_guid=9AA9AC1B-2171-48E9-B639-099BF4BB9955 fallback=1
AIX_client MediaAgent2 proxy=client3 remote_guid=9AA9AC1B-2171-48E9-B639-099BF4BB9955 fallback=1
AIX_client MediaAgent2 proxy=MediaAgent1 remote_guid=9AA9AC1B-2171-48E9-B639-099BF4BB9955 fallback=1
AIX_client MediaAgent2 proxy=cs1 remote_guid=9AA9AC1B-2171-48E9-B639-099BF4BB9955 fallback=1
AIX_client client3 remote_guid=8A719966-6C8B-41FE-8882-55F0A20BDC54 type=persistent proto=httpsa cvfwd=client3.url.address.pl:8403 fallback=1
AIX_client client3 remote_guid=8A719966-6C8B-41FE-8882-55F0A20BDC54 type=passive fallback=1
AIX_client FREL1 remote_guid=2E10C3F3-3FA5-4629-B6BE-F47471DFAAAC type=passive
AIX_client client1 remote_guid=6399DF0C-F4FC-4637-9311-C1BABA912EA6 type=passive
AIX_client client2 remote_guid=49780CF1-9259-4B86-90D1-61C6BC2BD015 type=passive
AIX_client cs1_DRbackup remote_guid=0CD5EE41-66CC-4DE3-B5B8-3EA69D1B16EA type=persistent proto=httpsa cvfwd=cs1.url.address.pl:8408
AIX_client cs2_DRbackup remote_guid=38CEA52A-0CD7-4010-B1EB-A4E2C549D467 type=persistent proto=httpsa cvfwd=CS2.url.address.pl:8408
AIX_client FREL2 remote_guid=B68DDAAC-022E-4E9C-A830-B7A8BBB95431 type=passive
AIX_client MediaAgent1 remote_guid=EE9312FD-A143-465C-9FDE-5A71C2004C86 type=passive
AIX_client MediaAgent2 remote_guid=9AA9AC1B-2171-48E9-B639-099BF4BB9955 type=passive
AIX_client cs1 proxy=cs1_DRbackup remote_guid=4EEEBA0C-6B7E-4A81-AFF3-18E6B9069F94
AIX_client cs1 proxy=cs2_DRbackup remote_guid=4EEEBA0C-6B7E-4A81-AFF3-18E6B9069F94

 

=================================

Regards,

Michał

Pearl
Rank
Badge +1

@Michal Osewski : Sorry for delayed response, So my question would be here is, are we seeing the air gap MAs listed in the FwConfig.txt ?

M
Rank
Badge +3

Hello,

Yes, there are a lot of connections from AIX server to e.g. Media Agent (client3) which is used as a air gap in this configuration. It doesn’t perform any backups, it is only used as a network-isolated target for AuxCopy replication (all incoming connections to client3 are blocked, only outgoing connections are allowed). For some reason you see these entries and connection attempts.

 

Regard,

Michał

Reply


Terms & ConditionsCookie settings