[LON-CAPA-admin] Not connected to network

Stuart Raeburn raeburn at msu.edu
Fri Sep 5 20:32:20 EDT 2014 

Richard,

> connections going out to other institutions servers will look like   
> they're coming from the NAT address of the private network and not   
> from loncapa.purdue.edu.

They need to own up to the actual IP address of loncapa.purdue.edu  
(128.210.203.167).

> Does LON-CAPA do some sort of reverse dns on the connections and  verify?

In /home/httpd/perl/lond (which is the code to support connection  
requests from remote servers) you will find:

$server = IO::Socket::INET->new(LocalPort => $perlvar{'londPort'} ...

     $client = $server->accept() ...
     make_new_child($client);

And in the make_new_child() routine:

     my $caller = getpeername($client);
     my ($port,$iaddr);
     if (defined($caller) && length($caller) > 0) {
         ($port,$iaddr)=unpack_sockaddr_in($caller);
     }
     if (defined($iaddr)) {
         $clientip  = inet_ntoa($iaddr);
     }

which will eventually assign the IP address of the remote server from  
which a connection has been made to the scalars $clientip and $outsideip

         my $outsideip=$clientip;
         my $clientrec=defined(&Apache::lonnet::get_hosts_from_ip($outsideip));

If $outsideip is not recognized as the IP address of a known LON-CAPA  
host in the (cached) hosts data retrieved nightly from  
https://s10.lite.msu.edu/adm/dns/hosts, then the messages you reported  
from /home/httpd/perl/logs/lond.log will be logged:

<font color='blue'>WARNING: Unknown client $clientip</font>
<font color='blue'>WARNING: Rejected client $clientip, closing  
connection</font>
<font color='red'>CRITICAL: Disconnect from $clientip ($clientname)</font>

So if you are seeing $clientip set to 128.210.203.143 for a connection  
from msul1 (the MSU LON-CAPA library server) then your server will  
refuse connections from msul1, because the real IP address is  
35.8.100.228.

So, yes, you do need to configure your F5 Load Balancer hardware so  
that the IP address associated with the socket on port 5663 on  
loncapa.purdue.edu is for the remote server, and not the F5.

> ... I was thinking this functionality was working when we  first  
> switched to this configuration, however based on what I'm  seeing I  
> don't see how.

I don't know when the purdue LON-CAPA instance was switched from  
Purdue Biological Sciences to the current configuration managed by  
ITaP, but I found evidence that connectivity to the LON-CAPA network  
was unavailable from msul1 to purduel1 as far back as 7/15.


Stuart Raeburn
LON-CAPA Academic Consortium


Quoting "Lucas, Richard" <clucas at purdue.edu>:

> Stuart,
>
> Those PerlVars are both set to 1.
>
> I think I know what the issue is here, maybe you can confirm. When   
> we originally moved the server we have put it behind the F5 and gave  
>  the server and internal IP address. We configured the F5 to forward  
>  ports through since we only have the one server. However,   
> connections going out to other institutions servers will look like   
> they're coming from the NAT address of the private network and not   
> from loncapa.purdue.edu. Also the F5 is receiving the connection and  
>  forwards it on so to the LON-CAPA server it looks like the   
> connection is coming from the F5. I am seeing messages like this for  
>  connections in:
>
> Tue Sep  2 21:33:44 2014 (2184): <font color="green"> Attempting to   
> start child (IO::Socket::INET=GLOB(0x3e55dd8))</font>
> Tue Sep  2 21:33:44 2014 (22758): <font color="green"> existing host  
>  msul1</font>
>
> Tue Sep  2 21:33:44 2014 (22758): <font color='blue'>WARNING:   
> Unknown client 128.210.203.143</font>
> Tue Sep  2 21:33:44 2014 (22758): <font color='blue'>WARNING:   
> Rejected client 128.210.203.143, closing connection</font>
> Tue Sep  2 21:33:44 2014 (22758): <font color='red'>CRITICAL:   
> Disconnect from 128.210.203.143 ()</font>
> Tue Sep  2 21:33:44 2014 (2184): Child 22758 died
>
> Does LON-CAPA do some sort of reverse dns on the connections and   
> verify? I am working with the F5 admins here to try to get this   
> configuration changed. However, I'm wondering if you can shed some   
> lights on how this works and if there's anything else I can do   
> before that? I was thinking this functionality was working when we   
> first switched to this configuration, however based on what I'm   
> seeing I don't see how.
>
> Thanks,
> Richard
>
> -----Original Message-----
> From: lon-capa-admin-bounces at mail.lon-capa.org   
> [mailto:lon-capa-admin-bounces at mail.lon-capa.org] On Behalf Of   
> Stuart Raeburn
> Sent: Wednesday, September 03, 2014 12:20 AM
> To: lon-capa-admin at mail.lon-capa.org
> Subject: Re: [LON-CAPA-admin] Not connected to network
>
> Richard,
>
> I would agree that the LON-CAPA server for the purdue domain is   
> currently unable to connect to other LON-CAPA servers in the network.
>
> What is currently in /etc/httpd/conf/loncapa.conf for the two   
> PerlVars loncAllowInsecure and londAllowInsecure ?
>
> Looking at debug information in /home/httpd/perl/logs/lonc.log on   
> s12.lite.msu.edu I am seeing:
>
> [Tue Sep  2 21:33:43 2014: Connected to loncapa.purdue.edu] Created   
> connection 1 to host loncapa.purdue.edu LondWritable State =   
> Connected host = loncapa.purdue.edu LondWritable State = Initialized  
>  host = loncapa.purdue.edu LondReadable host = loncapa.purdue.edu   
> LondReadable called state = Initialized host = loncapa.purdue.edu   
> Readable returned: 0 host = loncapa.purdue.edu After read, state is   
> Initialized host = loncapa.purdue.edu LondReadable called state =   
> Initialized host = loncapa.purdue.edu [Tue Sep  2 21:33:43 2014:   
> Connected to loncapa.purdue.edu]
> Socket->Readable returned: -1 host = loncapa.purdue.edu
> [Tue Sep  2 21:33:43 2014: Connected to loncapa.purdue.edu] <font
> color='blue'>WARNING: Lond connection lost.</font>
>
> when connecting from s12.lite.msu.edu (the msudemo domain server).
>
> The transaction request which is failing is the init command:
>
> TransactionRequest -> init:ssl:'2.11.0-2014063012'
> TransactionReply -> refused
>
> Could you check lond.log in /home/httpd/perl/logs for messages such as:
>
> <font color="yellow">INFO: Connection, 35.9.66.242 (msudemol1)   
> connection type = client </font>"
>
> or
>
> <font color='blue'>WARNING: 35.9.66.242 failed to initialize:
>  >init:ssl:'2.11.0-2014063012'< </font>
>
> or
>
> <font color="yellow">Attempted insecure connection disallowed</font>
>
> or
>
> <font color='blue'>WARNING: Unknown client 35.9.66.242</font>
>
>
> Thanks,
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
>
>
> Quoting "Lucas, Richard" <clucas at purdue.edu>:
>
>> I received a complaint that faculty are unable to browse resources
>> in other institutions. As far as I can tell our LON-CAPA instance is
>>  not connected to anyone else. I see a lot of connection messages
>> with "CRITICAL: Failed to make a connection with lond." and then
>> followed shortly after with "WARNING: Failing transaction sethost"
>> messages for host connections in the lonc.log. However, I'm not sure
>>  what that means or even if it's related. Any pointers on what I
>> should be looking at?
>>
>> Thanks,
>> Richard

More information about the LON-CAPA-admin mailing list