Connecting to the HFS Through a Firewall

1. HFS configuration details

The HFS can be accessed from behind a firewall. Although all client sessions, even automatic scheduled backup sessions, are initiated from the client, it is necessary to place a rule in the firewall to allow traffic both to and from the TSM server in order to allow the TSM server to communicate with the TSM client. The current IP addresses/port number combinations for the service are listed on the HFS TSM server details page.

2. Trouble-shooting firewall-related issues

A number of HFS users have had problems when connecting to the HFS through a firewall. These problems are characterised by backups/restores stalling half-way through and by repeated reconnections being made though a long scheduled backup. This is normally seen in the client logs as a large number of messages of ANS1809W messages, which take one of the following forms:

ANS1809W Session is lost; initializing session reopen procedure.
ANS1809W A session with the TSM server has been disconnected. 
An attempt will be made to reestablish the connection.

It appears that these problems usually arise with firewalls based upon Linux 2.6 kernels. The workaround successfully used by a number of HFS users is to set the value of ip_conntrack_tcp_be_liberal to 1 with:

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

This setting means that any packets interpreted by the firewall's connection tracking as being outside the TCP window will still be allowed through, unless they are reset segments.

We have also seen similar issues with commercial firewalls not based on Linux, where turning off flow consistency checking has alleviated this problem.

If you experience slow or intermittently slow backup or restore performance rather than a loss of connection, then the cause could nonetheless still be firewall-related. Please check any intervening firewalls for active anti-virus/anti-malware scanning. Packet-scanning in transit can seriously affect data rates, even on otherwise uncongested network links.

Some departments have reported problems related to deep packet inspection (DPI) firewalls and access to the archive service (please note this does not affect the backup service). The HFS archive service historically has used TCP port 2000, and this port has come to be used by SCCP (Cisco's Skinny Client Control Protocol). DPI firewalls with support for SCCP expect only to see SCCP connections using port 2000 - they view the TSM connection to the HFS archive service as erroneous and terminate it. On the client machine this is normally seen as a hang while starting the TSM software for archiving, most likely during the splash screen with loading stuck at 80%.

To fix this problem we have changed the archive service to use port 1500. Currently we are redirecting connections on port 2000 to port 1500 so existing configurations continue to work. However if you experience problems and ares still using port 2000 please change to the new port. To do this edit the file /opt/tivoli/tsm/client/ba/bin/dsm.sys (Linux), Library/Preferences/Tivoli Storage Manager/dsm.sys (Mac), or C:\Program Files\Tivoli\TSM\baclient\dsm.opt (Windows) and change the line that says

TCPPort 2000

to:

TCPPort 1500

 

Written by IT Services. Latest revision 10 October 2017