Netbackup and the ACSLS firewall feature.

The intent with this document is to show how the ACSLS firewall feature is configured in Netbackup. To be true, both Symantec/Veritas and SUN/Storagetek has done a really sloppy job documenting how to implement this feature. I hope this page helps.

Firewall compliant ACSLS is supported from Netbackup 4.5 with FP9 and forward. The firewall compliant feature uses port 30031/tcp by default but can be custom chosen. It is essential firewall allow both side of the firewall to initiate traffic. It’s not enough just to open one side and believe the state stateful firewall (SPI)  will handle it – IT WON’T. If you are in doubt use snoop on the ACSLS side and tcpdump on the client side to verify traffic flow.

You also need to configure the ACSLS server for firewall operations. See the ACSLS manual.

How to configure on the client side:

An existing ACSLS server named “emulator” run the old style port mapper feature. A new one server “Moldau” runs firewall compliant ACSLS.

# denotes commands.

1: Edit vm.conf. Add the following entries:

ACS_TCP_RPCSERVICE
ACS_CSI_HOSTPORT = {ACSLS_servername} 30031
ACS_SSI_INET_PORT = { ACSLS servername} 30031

From the real world:

ACS_TCP_RPCSERVICE
ACS_CSI_HOSTPORT = emulator 0
ACS_SSI_INET_PORT = emulator 0
ACS_CSI_HOSTPORT = moldau 30031
ACS_SSI_INET_PORT = moldau 3003

A “0” (zero) in the port number sets the old style RPC portmapper feature (port 110). If youre media server has multiple NICs and you plan to direct traffic to and from the ACSLS server through a NIC not connected to the default gateway, add ACS_SSI_HOSTNAME = { DNS host name to use } to vm.conf. Else traffic won’t flow correct. If you are in doubt which IP address ACSLS think it uses see /usr/openv/volmgr/debug/acssi/event.log. Look for at line like this:

[csi_rpctinit.c:433] ONC RPC: csi_rpctinit(): B2 SOCKET 3: family= 2 port=30031 IPaddr= 10.1.22.37

2: Add devices in Netbackup (else acsd won’t start any acssi daemons for the new robot).

3: Stop Netbackup on the media server – Make sure to kill all daemons not stopped. Especially acsd and acssi NEEDS to be killed for Netbackup 5.x.

4: Delete any previous registered RPC services on the Netbackup servers. A stop/start of Netbackup may not do the job.

#rpcinfo -d 1073741824 1
#rpcinfo -d 1073741824 2

5: Start Netbackup.

6: Verify with acstest and rpcinfo -p. Look for two entries like this

#rpcinfo -p
1073741824 2 tcp 49263 <-- Old style RPC
1073741825 2 tcp 30031 <-- Firewall compliant port.

7: Issue Netbackup’s acstest like this

#acstest -r ACSLS_HOST -s SSI_SOCKET -C qserver

If you have multiple connected ACSLS server you need to specify the -s SSI socket option else you can omit the -s option. The first SSI socket runs on 13740, the next 13741 and so on.

8: Coffee or beer.

Update:

If you experience acsssi & acssel doesn’t start but acsd do, try setting the following variables in vm.conf

ACS_CSI_HOSTNAME = ACSLS_SERVER_NAME

ACS_SSI_HOSTNAME = MEDIA_SERVER_NAME

(Visited 833 times, 1 visits today)