[LON-CAPA-admin] Not connected to network

Stuart Raeburn raeburn at msu.edu
Sun Oct 12 09:41:06 EDT 2014


Richard,

> I believe we now have this resolved. Can you verify you see our   
> LON-CAPA instance connected now?

Yes, the changes you have made have resolved this issue, and the  
purdue LON-CAPA instance is now once again part of the LON-CAPA network.

Thank you for your efforts in resolving this.

Stuart Raeburn
LON-CAPA Academic Consortium


Quoting "Lucas, Richard" <clucas at purdue.edu>:

> Stuart,
>
> I believe we now have this resolved. Can you verify you see our   
> LON-CAPA instance connected now?
>
> Thanks,
> Richard
>
> -----Original Message-----
> From: lon-capa-admin-bounces at mail.lon-capa.org   
> [mailto:lon-capa-admin-bounces at mail.lon-capa.org] On Behalf Of   
> Stuart Raeburn
> Sent: Friday, September 05, 2014 8:32 PM
> To: lon-capa-admin at mail.lon-capa.org
> Subject: Re: [LON-CAPA-admin] Not connected to network
>
> Richard,
>
>> connections going out to other institutions servers will look like
>> they're coming from the NAT address of the private network and not
>> from loncapa.purdue.edu.
>
> They need to own up to the actual IP address of loncapa.purdue.edu   
> (128.210.203.167).
>
>> Does LON-CAPA do some sort of reverse dns on the connections and  verify?
>
> In /home/httpd/perl/lond (which is the code to support connection   
> requests from remote servers) you will find:
>
> $server = IO::Socket::INET->new(LocalPort => $perlvar{'londPort'} ...
>
>      $client = $server->accept() ...
>      make_new_child($client);
>
> And in the make_new_child() routine:
>
>      my $caller = getpeername($client);
>      my ($port,$iaddr);
>      if (defined($caller) && length($caller) > 0) {
>          ($port,$iaddr)=unpack_sockaddr_in($caller);
>      }
>      if (defined($iaddr)) {
>          $clientip  = inet_ntoa($iaddr);
>      }
>
> which will eventually assign the IP address of the remote server   
> from which a connection has been made to the scalars $clientip and   
> $outsideip
>
>          my $outsideip=$clientip;
>          my   
> $clientrec=defined(&Apache::lonnet::get_hosts_from_ip($outsideip));
>
> If $outsideip is not recognized as the IP address of a known   
> LON-CAPA host in the (cached) hosts data retrieved nightly from   
> https://s10.lite.msu.edu/adm/dns/hosts, then the messages you   
> reported from /home/httpd/perl/logs/lond.log will be logged:
>
> <font color='blue'>WARNING: Unknown client $clientip</font> <font   
> color='blue'>WARNING: Rejected client $clientip, closing   
> connection</font> <font color='red'>CRITICAL: Disconnect from   
> $clientip ($clientname)</font>
>
> So if you are seeing $clientip set to 128.210.203.143 for a   
> connection from msul1 (the MSU LON-CAPA library server) then your   
> server will refuse connections from msul1, because the real IP   
> address is 35.8.100.228.
>
> So, yes, you do need to configure your F5 Load Balancer hardware so   
> that the IP address associated with the socket on port 5663 on   
> loncapa.purdue.edu is for the remote server, and not the F5.
>
>> ... I was thinking this functionality was working when we  first
>> switched to this configuration, however based on what I'm  seeing I
>> don't see how.
>
> I don't know when the purdue LON-CAPA instance was switched from   
> Purdue Biological Sciences to the current configuration managed by   
> ITaP, but I found evidence that connectivity to the LON-CAPA network  
>  was unavailable from msul1 to purduel1 as far back as 7/15.
>
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
>
>
> Quoting "Lucas, Richard" <clucas at purdue.edu>:
>
>> Stuart,
>>
>> Those PerlVars are both set to 1.
>>
>> I think I know what the issue is here, maybe you can confirm. When
>> we originally moved the server we have put it behind the F5 and gave
>> the server and internal IP address. We configured the F5 to forward
>>  ports through since we only have the one server. However,
>> connections going out to other institutions servers will look like
>> they're coming from the NAT address of the private network and not
>> from loncapa.purdue.edu. Also the F5 is receiving the connection and
>>  forwards it on so to the LON-CAPA server it looks like the
>> connection is coming from the F5. I am seeing messages like this for
>> connections in:
>>
>> Tue Sep  2 21:33:44 2014 (2184): <font color="green"> Attempting to
>> start child (IO::Socket::INET=GLOB(0x3e55dd8))</font>
>> Tue Sep  2 21:33:44 2014 (22758): <font color="green"> existing host
>> msul1</font>
>>
>> Tue Sep  2 21:33:44 2014 (22758): <font color='blue'>WARNING:
>> Unknown client 128.210.203.143</font>
>> Tue Sep  2 21:33:44 2014 (22758): <font color='blue'>WARNING:
>> Rejected client 128.210.203.143, closing connection</font>
>> Tue Sep  2 21:33:44 2014 (22758): <font color='red'>CRITICAL:
>> Disconnect from 128.210.203.143 ()</font> Tue Sep  2 21:33:44 2014
>> (2184): Child 22758 died
>>
>> Does LON-CAPA do some sort of reverse dns on the connections and
>> verify? I am working with the F5 admins here to try to get this
>> configuration changed. However, I'm wondering if you can shed some
>> lights on how this works and if there's anything else I can do
>> before that? I was thinking this functionality was working when we
>> first switched to this configuration, however based on what I'm
>> seeing I don't see how.
>>
>> Thanks,
>> Richard
>>
>> -----Original Message-----
>> From: lon-capa-admin-bounces at mail.lon-capa.org
>> [mailto:lon-capa-admin-bounces at mail.lon-capa.org] On Behalf Of
>> Stuart Raeburn
>> Sent: Wednesday, September 03, 2014 12:20 AM
>> To: lon-capa-admin at mail.lon-capa.org
>> Subject: Re: [LON-CAPA-admin] Not connected to network
>>
>> Richard,
>>
>> I would agree that the LON-CAPA server for the purdue domain is
>> currently unable to connect to other LON-CAPA servers in the network.
>>
>> What is currently in /etc/httpd/conf/loncapa.conf for the two
>> PerlVars loncAllowInsecure and londAllowInsecure ?
>>
>> Looking at debug information in /home/httpd/perl/logs/lonc.log on
>> s12.lite.msu.edu I am seeing:
>>
>> [Tue Sep  2 21:33:43 2014: Connected to loncapa.purdue.edu] Created
>> connection 1 to host loncapa.purdue.edu LondWritable State =
>> Connected host = loncapa.purdue.edu LondWritable State = Initialized
>>  host = loncapa.purdue.edu LondReadable host = loncapa.purdue.edu
>> LondReadable called state = Initialized host = loncapa.purdue.edu
>> Readable returned: 0 host = loncapa.purdue.edu After read, state is
>> Initialized host = loncapa.purdue.edu LondReadable called state =
>> Initialized host = loncapa.purdue.edu [Tue Sep  2 21:33:43 2014:
>> Connected to loncapa.purdue.edu]
>> Socket->Readable returned: -1 host = loncapa.purdue.edu
>> [Tue Sep  2 21:33:43 2014: Connected to loncapa.purdue.edu] <font
>> color='blue'>WARNING: Lond connection lost.</font>
>>
>> when connecting from s12.lite.msu.edu (the msudemo domain server).
>>
>> The transaction request which is failing is the init command:
>>
>> TransactionRequest -> init:ssl:'2.11.0-2014063012'
>> TransactionReply -> refused
>>
>> Could you check lond.log in /home/httpd/perl/logs for messages such as:
>>
>> <font color="yellow">INFO: Connection, 35.9.66.242 (msudemol1)
>> connection type = client </font>"
>>
>> or
>>
>> <font color='blue'>WARNING: 35.9.66.242 failed to initialize:
>>  >init:ssl:'2.11.0-2014063012'< </font>
>>
>> or
>>
>> <font color="yellow">Attempted insecure connection disallowed</font>
>>
>> or
>>
>> <font color='blue'>WARNING: Unknown client 35.9.66.242</font>
>>
>>
>> Thanks,
>>
>> Stuart Raeburn
>> LON-CAPA Academic Consortium
>>
>>
>> Quoting "Lucas, Richard" <clucas at purdue.edu>:
>>
>>> I received a complaint that faculty are unable to browse resources in
>>> other institutions. As far as I can tell our LON-CAPA instance is
>>> not connected to anyone else. I see a lot of connection messages with
>>> "CRITICAL: Failed to make a connection with lond." and then followed
>>> shortly after with "WARNING: Failing transaction sethost"
>>> messages for host connections in the lonc.log. However, I'm not sure
>>> what that means or even if it's related. Any pointers on what I
>>> should be looking at?
>>>
>>> Thanks,
>>> Richard



More information about the LON-CAPA-admin mailing list