Not sure if you got this resolved; I didn't see you say so.
Since 10.0.10.230 is the only address reachable from 192.168.1.x, is the routing table on it different from that of the IBM i?
Also, be sure you don't have any explicit "block/deny" entries in the firewall you weren't expecting.
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Pete Helgren
Sent: Tuesday, January 15, 2013 16:12
To: Midrange Systems Technical Discussion
Subject: Cannot connect to IBM i through anything but local switch
This *sounds* like a routing issue but some of this doesn't add up. At one point my IBM i (6.1) was:
1. Accessible from a different local logical and physical network using
5250 port 992 and HTTP and HTTPS.
2. Accessible from the external (Internet) with HTTP and HTTPS (as it should be, filtered by the firewall).
This is one of those classic "It worked before and now doesn't work but nothing changed" scenarios (of course, *something* changed).
BladeCenter S with a few blades in it. All but my JS-12 are 'sleeping'
at the moment.
There is one switch at the BCS end. All devices on the switch are on the same physical and logical network (10.0.10.0) That switch(remote) is connected to local switch over a fiber link (both local and remote switches are NetGear 24 port GB switches). There are two interfaces plugged into the local switch: my laptop and a connection to the firewall (10.0.10.2 - it's the gateway) so essentially the remote and local switch are on the same physical and logical network, it just has a fiber link between the two.
IBM i is at 10.0.10.205 and the BCS Chassis (AMM) is at 10.0.10.230 on the remote switch. My laptop on the local switch is at 10.0.10.50. All connected interfaces are subnetted to the 10.0.10.0 network (255.255.255.0). Neither switch is VLAN'ed.
From my laptop on the *local* switch I can ping the gateway (10.0.10.2) and the outside world. I can ping the interface on the i (10.0.10.205) and interface on the AMM (10.0.10.230). I can bring up a web site on the IBM i at address 10.0.10.210. I can bring up the AMM web interface at
10.0.10.230 on the BCS. Basically, everything is accessible to my laptop when it is on the local switch. So far so good.
On a second switch on a difference interface on the firewall
(192.168.1.0 network) I have no such luck now. It *was* working just the same as being on the local switch: I pretty much had access to all interfaces on the IBM i blade and the BCS chassis. Also, there is a firewall route that sends all traffic on 22.214.171.124 to the internal address of 10.0.10.210. None of that works now. From the 192.168.2.0 network I can only get to one interface: The BCS AMM interface at
10.0.10.230 (it too is subnetted to /24 255.255.255.0).
I fully understand that I should get to all the interfaces on the
10.0.10.0 network when I am on the switch. What I am having trouble understanding is how I can get to ONLY one interface on that network when I am on the 192.168.1.0 network. If it was purely a routing issue, then it would be all or nothing (or follow a subnetting pattern). Why can't I get to 10.0.10.205 or 10.0.10. 210 when I can get to 10.0.10.230? The common denominator for all the inaccessible interfaces (inaccessible from the other network) is that they are all on the JS-12 Blade.
This may be TMI to solve the issue but if you have any ideas or insights I'd love to hear them. Basically the issue is: On the local switch I can get to all ports and all addresses. From another NIC on the firewall (different physical and logical network) I can get to ONLY 1 interface, all others are inaccessible. I changed the Ethernet config on the IBM i side (since it has all the interfaces that cannot be reached). The config is:
Line speed . . . . . . . . . . . . : 1G
Current line speed . . . . . . . . : 1G
Duplex . . . . . . . . . . . . . . : *AUTO (This was set to *FULL
but I reset it to *AUTO)
Current duplex . . . . . . . . . . : *FULL
Serviceability options . . . . . . : *NONE
Maximum frame size . . . . . . . . : 1496
I have thunk and thunk and thunk about this for about two weeks and I haven't had any epiphanies as to why I have the issue. It's a firewall issue or some weird config problem.
GIAC Secure Software Programmer-Java
This email is confidential, intended only for the named recipient(s) above and may contain information that is privileged. If you have received this message in error or are not the named recipient(s), please notify the sender immediately and delete this email message from your computer as any and all unauthorized distribution or use of this message is strictly prohibited. Thank you.