the -U is for udp, -port is destination port, -sport is source port.) (so this is going to send out of eth1, the grid member's lan1 interface, to the vip of the grid master. i forget what it was though, and i don't feel like looking it right now.)įirst specify the source and destination ports as 1194/udp, then on a second traceroute specify 2114/udp. (i originally was going to use ping, but the options on ping didn't allow me to set what i needed. Leave this running on the grid master, then on the new device run a couple of traceroutes. i know i used to have some devices that didn't ). technically, vips are on eth2 or eth2 is empty on the passive member, and the ha ip for each member is on eth2:1. so "eth2" above is the grid master's ha interface, and since you should be on the active member, the vip is riding on this interface. if a grid master is an ha pair, the passive member talks to the active member from its lan1 ip to the active member's vip (instead of lan1 to lan1 like grid member ha pairs do with each other.
ha pairs do openvpn tunnels between each other on their lan1 ips, while devices talk to the grid master from their lan1 ip to the grid master's vip. (which interface you have to listen on depends on the infoblox device, but in general eth0 is mgmt, eth1 is lan1, eth2 is ha - in my experience. Run a tcpdump on the grid master looking for the ip of the new device, e.g.Įxpert Mode > tcpdump -i eth2 (udp port 2114 || udp port 1194) & src So here's what i do now to verify the firewalls are opened properly, well in advance of my implementation date, so i can follow up with the firewall teams to get things fixed before the join date and time arrives. if the new device is already joined to something, then the openvpn udp ports (at least 1194) will already be in use so this trick doesn't work. using that, i was able to figure out a way to test/verify connectivity to the grid master.Ĭaveat: the device must not be already joined to a grid. (and don't, that i'm aware of.)Īt some point, i became aware of the expertmode option, and access to the new/different command line tools that mode provides. I always wished infoblox had an option somewhere to "test" grid communication in some way, just to verify the lines of communication were open without doing the actual join at that point.
then, if it didn't, trying to figure out for sure if it was a firewall issue or something else. i would submit firewall rules, then hope they were implemented correctly, waiting for the stated time to try my grid join and hope it worked. A situation i used to always run into in the past was: i needed to set up a new infoblox device or ha pair, and the grid master and grid master candidates were in different datacenters/locations and there were one or more firewalls between them.
0 kommentar(er)
