[OpenAFS] firewall'ed machine cause slowdown

Brent Johnson brent.johnson@jpl.nasa.gov
Mon, 26 Aug 2002 18:15:31 -0700 

Hello,

We (Solaris 8, Transarc 3.6 2.32 servers, 3.6 2.26 db servers) had an 
issue where a client with a certain firewall (Zone Alarm and or Black 
Ice) configuration (allowing AFS traffic out but no AFS traffic in, or 
more precisely, it didn't allow any _uninitiated_ inbound AFS traffic 
e.g. a fileserver callback) caused the fileserver (a couple actually) to 
come to a crawl (reads/writes taking 10minutes or more to complete) and 
become virtually unusable.  Had to end up blocking this firewall'ed 
client machine to get fileservers back to normal.  During "outage" 
FileLog would repeat following message sequence every minute:

Wed Jul 10 16:22:55 2002 BreakDelayedCallbacks FAILED for host 894f2528 
which IS UP.  Possible network or routing failure.
Wed Jul 10 16:22:55 2002 MultiProbe failed to find new address for 
host894f2528.7001
Wed Jul 10 16:23:51 2002 CB: Call back connect back failed (in break 
delayed) for 894f2528.7001

We have not been able to duplicate the problem but we've experienced it 
2 to 3 times within about 3 months.

Below is the explanation I got from Transarc. They've informed us that a 
fix is en route.  Has anybody ever experienced this in openafs (or 
anywhere)?

-Brent

-------Begin Transarc response---------------------------
Hi Brent,

 From the very brief synopsis, I can't tell exactly what your problem 
is... but what I was trying to quickly say is that if a user installed a 
personal firewall that allows the client to send requests to the server, 
but disallows the server to talk to the client, this can cause the 
server to tie up some threads and become slow. This all depends on how 
many requests and how frequently they are sent to the server. If this is 
the case, and you cannot get to the client, you may want to turn off 
network connectivity to this one client, if possible. Other customers 
have seen this type of condition and have taken measures such as this.

--------End Transarc response-----------------------------

-- 
Brent A. Johnson
JPL File Services Engineer
Jet Propulsion Laboratory 
Telephone: 4-2138 or 818-354-2138	Pager: 1-800-759-8888 PIN=1256866