× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



I have an lpar GDWEB in our DMZ. It does an
EXPORTFS OPTIONS('-I -O') DIR('/tmp')

Another lpar in our internal network has a directory called /gdweb/tmp
It can ping the DMZ system.
It executes this command:
MOUNT TYPE(*NFS)
MFS('gdweb:/tmp')
MNTOVRDIR('/gdweb/tmp')
OPTIONS('rw,suid,retry=5,rsize=32768,wsize=32768,timeo=20,retrans=5,acregmin=30,acregmax=60,acdirmin=30,acdirmax=60,soft,async,sec=sys,vers=3:2,nocache')
It fails with CPFA0E2
Message . . . . : System unable to establish a communications connection to
a file server.
Cause . . . . . : An attempt was made to perform an operation on object /tmp
that required interaction with a file server. However, a communications
connection could not be established with the file server. There may be a
possible configuration problem.

I ran the following before executing that command
STRCMNTRC CFGOBJ(LANLINGB) CFGTYPE(*LIN) MAXSTG(32M)
As soon as the command failed I ran
ENDCMNTRC CFGOBJ(LANLINGB) CFGTYPE(*LIN)
Then I ran
PRTCMNTRC CFGOBJ(LANLINGB) CFGTYPE(*LIN) FMTTCP(*YES) TCPIPADR('208.87.182.2')
I received
CPF39B9:
Message . . . . : No trace records found for printing trace LANLINGB type
*LIN
Cause . . . . . : No trace data exists for the formatting options specified
on the Print Communications Trace (PRTCMNTRC) command for trace LANLINGB
type *LIN.

I strongly suspect the firewall is blocking the NFS port. I'd like to have some way to show this when talking to the network guy.
Do items only show up in a communications trace if they get all the way through? Is there some way to see the blocked items in the trace?

The network guy is acting a little stressed lately. And the boss has put out some directives to block all ports that are not being used. I think what happens is that the use was sporadic, or sometimes only happens when we do a HA switch, and didn't get logged as in use. I'm really fighting the battle that all communications should be email. I can get them to see the light but I just really have to show the business need.
On the bright side, this should really cut down on the "let's change all of our IP addresses on a whim" incidences when the work is this much for the network team.

I also did a little googling and got
https://serverfault.com/questions/377170/which-ports-do-i-need-to-open-in-the-firewall-to-use-nfs

It is also exacerbated by the fact that IBM fails to allow us to bind many of the clients to a particular address. So if our internal machine supports multiple IP addresses (perhaps for different websites, domino, etc) then we have to allow all those IP addresses permission to access the DMZ lpar as the NFS client could use any of them at a particular time.
See also:
https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=88068
<snip>
The CAAC has reviewed this requirement and views this as a high priority requirement that is important to be addressed.
Dawn May - CAAC Program Manager
Posted by DawnMay on 25 Apr 2017
</snip>

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.