Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
cancel
Showing results for 
Search instead for 
Did you mean: 

iLO2 and ISA firewall

Highlighted
Gazl
Occasional Contributor

iLO2 and ISA firewall

I wonder if anyone is able to shed any light on an issue that I have encountered please?

I have a number of servers that untilise iLO2. I can ping the iLO addresses and access the web interfaces and all associated functions as normal. I am currently in the process of setting up a perimeter network which only certain servers and our ISA firewall array will be part of. At this time, there is nothing present on this perimeter network other than a single switch. This is where my problem starts:

I have servers named 'X' 'Y' and 'Z', which I can access iLO2 features on from behind our firewall. In order to make them part of the perimeter network, I change the IP address and default gateway in iLO2. If I plug a laptop into the iLO2 port of any of the servers with a crossover cable, and set the laptop to the same subnet as the new iLo2 settings, I can ping the new iLO2 address and access all iLO2 features. This is the only way that I can ping or access the iLO2 once I have changed the IP settings. All settings in both iLO2 and in the relevant ISA firewall rules are correct.

I even temporarily set up a seperate router (bypassing ISA) connecting into the server to see if I can ping the iLo2 address from a completely different subnet, and I can, so it means that the issue lies within ISA - for some reason, it doesn't seem to like iLO2.

Apologies for the long post, but this is a very strange problem that I have never before come across, and I have spent a great deal of time searching the internet but have been unable to find any reports of the same issues. Is anyone aware of issues between iLO2 and ISA 2004?

Kind regards,

Gary
10 REPLIES
Gazl
Occasional Contributor

Re: iLO2 and ISA firewall

Correction, we use ISA 2006.
Jimmy Vance
HPE Pro

Re: iLO2 and ISA firewall

Your description is a little confusing

When you switch the IP addresses to make X, Y, and Z part of the perimeter network, are you also moving the iLO network cables to the switch on the perimeter network?? Your description makes it sound like your just changing the addresses and not moving the cables.

Are you sure you have all the correct ports open in ISA? iLO2 uses the follwoing ports

PORTS:

Port Description
22 Secure Shell (SSH)
23 Remote Console / telnet
80 Web Server Non-SSL (HTTP)
443 Web Server SSL (HTTPS)
3389 Terminal Services
17988 Virtual Media
9300 Shared Remote Console
17990 Console Replay
3002 Raw Serial Data

The only problem I've had with openeing these ports in a firewall is the the "Integrated Remote Console" function uses a random port once the connection is made, so it doesn't work. The Java based Remote Console works OK.



__________________________________________________
No support by private messages. Please ask the forum!      I work for HPE

If you feel this was helpful please click the KUDOS! thumb below!   
Gazl
Occasional Contributor

Re: iLO2 and ISA firewall

Hi Jimmy.

Thanks for your reply.

Sorry for the confusion, yes, the cables were moved and patched into the appropriate switch.
Gazl
Occasional Contributor

Re: iLO2 and ISA firewall

Also, I note your point about the integrated console port randomisation, but seeing as I can't even access the iLO2 login page, no console is running at that stage.
Jimmy Vance
HPE Pro

Re: iLO2 and ISA firewall

can you get to an iLO if you plug your laptop into the perimeter network switch?



__________________________________________________
No support by private messages. Please ask the forum!      I work for HPE

If you feel this was helpful please click the KUDOS! thumb below!   
Gazl
Occasional Contributor

Re: iLO2 and ISA firewall

Yes, I can access iLO2 fine if I plug the laptop into the permiter switch. From our 'normal' machines, I cannot even ping these specific iLO2 addresses. Additionally, ISA is not even resolving the ARP requests.
Jimmy Vance
HPE Pro

Re: iLO2 and ISA firewall

Is the ISA server the default gateway for the perimeter network? If not that may be the issue. The systems on the perimeter network may be getting the incoming requests but don't know how to get back to the other side of the ISA server.



__________________________________________________
No support by private messages. Please ask the forum!      I work for HPE

If you feel this was helpful please click the KUDOS! thumb below!   
Gazl
Occasional Contributor

Re: iLO2 and ISA firewall

Yes, the ISA server is the default gateway. Yesterday we even set up a different permiter network, just for the sake of clarity, and amended the iLO2 IP configuration accordingly. Again, it produced the same results - you cannot ping the Ilo2 IP from outside the subnet., and again, ISA is showing invalid ARP requests.
Johnbu
Acclaimed Contributor

Re: iLO2 and ISA firewall

I'm a colleague of Gazl & we have looked at this issue again recently. What we see via the results of some packet capturing is that iLO responds to an ISA ARP request be using the dedicated ISA node MAC address as the frame destination but with the virtual ISA Array MAC address as the target address in the ARP fields of the payload.
We have actually managed to resolve ISA's inability to create an ARP table entry for iLO by spoofing the ARP response from iLO on the network switch.
However, we still cannot acheive communication from iLO through ISA.
We are using a simple PING communication to test. Now that ISA has an ARP entry for iLO, we see it pass the ICMP (PING) packet towards iLO & we also see iLO respond (via the packet capture). As you would expect, the source MAC of the ICMP request passed from ISA is matched by the destination MAC of the reply from iLO. The related IP addresses are also what we would expect to see. This is the dedicated MAC address of the ISA node within the NLB array.
Although we see iLO respond to the ICMP request back towards ISA (via a packet capture on the switch that connects iLO to ISA), ISA monitoring does not report that it ever sees this frame / packet.
Just to reiterate, that we have proven the ISA firewall rule as everything else that is connected to this switch (everything connected to the switch is on the same IP subnet), works perfectly OK.
We are now wondering if rather than this being a firewall problem, it is actually an issue between iLO & NLB.
Does anyone have experience of similar problems?
Johnbu
Acclaimed Contributor

Re: iLO2 and ISA firewall

To provide further information & correct what could maybe viewed as inaccurate in my previous post, we have noticed a descrepency in the communication of iLO compared to other working nodes on the same subnet.
When ISA passes a frame to all nodes, the source MAC is that of the dedicated NIC (the MAC address that ISA spoofs for each NIC in the array based upon the NLB address by changing the second octet). However, when all other nodes reply, they use the virtual MAC of the array. When iLO replies, it uses the dedicated MAC of the ISA node that forwarded the frame / packet to it.
We believe that this is the reason why ISA is subsequently dropping the reply frames from iLO.
//Add this to "OnDomLoad" event