Connecting to the HFS Through a Firewall

1. HFS configuration details

The HFS can be accessed from behind a firewall. Although all client sessions, even automatic scheduled backup sessions, are initiated from the client, it is necessary to place a rule in the firewall to allow traffic both to and from the TSM server in order to allow the TSM server to communicate with the TSM client. The current IP addresses/port number combinations for the service are listed on the HFS TSM server details page.

2. Trouble-shooting firewall-related issues

A number of HFS users have had problems when connecting to the HFS through a firewall. These problems are characterised by backups/restores stalling half-way through and by repeated reconnections being made though a long scheduled backup. This is normally seen in the client logs as a large number of messages of ANS1809W messages, which take one of the following forms:

ANS1809W Session is lost; initializing session reopen procedure.
ANS1809W A session with the TSM server has been disconnected. 
An attempt will be made to reestablish the connection.

It appears that these problems usually arise with firewalls based upon Linux 2.6 kernels. The workaround successfully used by a number of HFS users is to set the value of ip_conntrack_tcp_be_liberal to 1 with:

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

This setting means that any packets interpreted by the firewall's connection tracking as being outside the TCP window will still be allowed through, unless they are reset segments.

We have also seen similar issues with commercial firewalls not based on Linux, where turning off flow consistency checking has alleviated this problem.

If you experience slow or intermittently slow backup or restore performance rather than a loss of connection, then the cause could nonetheless still be firewall-related. Please check any intervening firewalls for active anti-virus/anti-malware scanning. Packet-scanning in transit can seriously affect data rates, even on otherwise uncongested network links.

Some departments have reported problems related to deep packet inspection (DPI) firewalls and access to the archive service (please note this does not affect the backup service). The HFS archive service uses TCP port 2000, and this port has come to be used by SCCP (Cisco's Skinny Client Control Protocol). DPI firewalls with support for SCCP expect only to see SCCP connections using port 2000 - they view the TSM connection to the HFS archive service as erroneous and terminate it. On the client machine this is normally seen as a hang while starting the TSM software for archiving, most likely during the splash screen with loading stuck at 80%. To fix this problem, DPI must be disabled for SCCP/port 2000 on the firewall. On Juniper firewalls, the Application Layer Gateway settings need to be changed. For example, on the Juniper SSG140, issue the following command in the firewall command line interface:

unset alg sccp enable

The equivalent command on the Juniper SRX650 is:

set security alg sccp disable

On a FortiGate firewall, the default setting for port 2000 needs to be changed, e.g. to port 2001, by running on the command line:

config system settings
    set sccp-port 2001
end

Fortinet has a Knowledgebase article on this issue entitled FortiGate is not forwarding TCP ports 5060, 5061 and 2000. You may also find that you need to change the default port for SCCP under Policy & Objects / Objects / Services from 2000 to e.g. 2001.

Written by IT Services. Latest revision 13 December 2016