Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: IPMP group failed on Solaris 9
Operating Systems Solaris IPMP group failed on Solaris 9 Post 303038575 by hicksd8 on Friday 6th of September 2019 12:10:27 PM
Old 09-06-2019
I have read your post#1 countless times and I must confess that I am at a loss to understand your question. Sorry about that I cannot give you a specific answer as a result.

So what I will do is bash some keys a provide some general network interface information as it pertains to Solaris 9. I apologize if you already know all this but we have to start somewhere. This might be a long post before I'm finished, I don't know, it's just going to be as it comes (into my head).

Why are you seemingly just plumbing missing IP addresses that you can't ping onto another system? With IPMP the same IP address is aggregated across two or more NICs (on the same machine).

If you want to configure IPMP you would do that BEFORE you 'plumb'. For example if you have interfaces bge0 and bge1, you would create an aggregate interface 'aggr1' for example and after that you would plumb and configure only aggr1. You would not try to configure bge0 and bge1 individually any more.

Now Solaris 9 will look for files /etc/hostname.<interface> at boot time and try to plumb those interfaces. If this system was restored from a different hardware platform, then you might for example have a file /etc/hostname.ce0 existing causing Solaris to try to plumb ce0 at boot-time when ce0 doesn't actually exist on this hardware. To stop Solaris from trying to plumb ce0 simply delete the /etc/hostname.ceo file.

When Solaris finds a file /etc/hostname.<interface> at boot-time, it reads the hostname from this file and then (assuming the interface is not configured for DHCP of course) goes to /etc/hosts and looks up the IP address it should use on this interface.

If you aggregate bge0 and bge1 into aggr1, then a file /etc/hostname.aggr1 is created which Solaris will try to plumb at boot-time.

Now, you are trying to get a FAIL message for ce0 to disappear, yes? I can think of only two possibilities why a system would complain about ce0 FAIL:

1. File /etc/hostname.ce0 exists but actual interface ce0 does not exist on this hardware. Delete the file.
2. The interface ce0 does not exist on this platform but is included in an aggregate IPMP configuration that has been restored from a different hardware platform. Down the aggregate interface and delete the IPMP configuration, then recreate the aggregate with interfaces that do exist on this platform and exclude ce0 which doesn't.

Aggregating interfaces has nothing to do with other systems on the LAN. Provided the network cables from the aggregated interfaces go to network switch(es) that understand multi-pathing then all should be well.

I'm going to stop there. If I've completely misunderstood your question then please give us a clue what this is about please.

Hope that helps in some way.
 

9 More Discussions You Might Find Interesting

1. Solaris

Solaris IP Multipathing (IPMP) Help

Hello All, I work for a Health care company at a local trauma hospital. I maintain a Picture Archiving and Communication System (PAC's). Basically, any medical images (X-Ray, CT, MRI, Mammo, etc) are stored digitally on the servers for viewing and dictation from diagnostic stations. I took over... (10 Replies)
Discussion started by: mainegeek
10 Replies

2. Solaris

Does Veritas Cluster work with IPMP on Solaris 10?

Does Veritas Cluster work with IPMP on Solaris 10? If anyone has set it up do you have a doc or tips? I have heard several different statements ranging from , not working at all to Yes it works! Great How? * Test and Base IPs???? * configure the MultiNICB agent ? I can give details... (1 Reply)
Discussion started by: dfezz1
1 Replies

3. Solaris

IPMP group failure when gateway not detected

A problem happened with me, I was configuring IP for two network interfaces, and when I rebooted the system, everything is working but after like 3 or 5 minutes it will tell me that the whole IPMP group has failed ! I tried to troubleshoot, so I found that the gateway is not reachable..so I... (4 Replies)
Discussion started by: Sun Fire
4 Replies

4. Solaris

how to configure IPMP in solaris 9

Hi friends , can anyone provide me the complete steps to configure IPMP in solaris 9 or 10 provided i have two NIC card ? regards jagan (4 Replies)
Discussion started by: jaganblore
4 Replies

5. Solaris

Solaris IPMP

Can any one please explain me the concept behind IPMP in solaris clustering.Basic explanation would be really appreciated... Thanks in Advance vks (2 Replies)
Discussion started by: vks47
2 Replies

6. Solaris

Solaris 10 branded zone with IPMP

All. I am trying to create a 10 branded zone on a Sol 11.1 T5. The Global is using IPMP...so aggregating is out of the question. Has anyone successfully created a branded zone with IPMP? If they have can you please show me the steps you took to get this to run. Thanks (4 Replies)
Discussion started by: aeroforce
4 Replies

7. Solaris

IPMP over aggregate in Solaris 11

hi all, i start with solaris 11 and i am disapointed by the change on ip managing. i want to set a ipmp over tow aggregate but i dont find any doc and i am lost with the new commande switch1 net0 aggregate1 | net1 aggregate1 |-----| |... (1 Reply)
Discussion started by: sylvain
1 Replies

8. Solaris

New to Solaris IPMP (conversion from Linux)

Hi all, I been reading examples of how to setup IPMP and how it differs from Etherchannel. However, i am still unsure of how it really works and i hope gurus here can shed some light on the questions I have below while i will lab it up for my own test -> q1) for IPMP, there is no such thing... (23 Replies)
Discussion started by: javanoob
23 Replies

9. Solaris

Solaris 10 IPMP - failback=no

Hi all, Just a few questions -> Is an "OFFLINE" interface going back to "ONLINE" consider as a failback by IPMP ? I have "FAILBACK=no" in my /etc/default/mpathd; however when i do the following (igb0 and igb7 are in the same ipmp link based group) q1) why does "if_mpadm -r igb7" cause... (0 Replies)
Discussion started by: javanoob
0 Replies

LEARN ABOUT DEBIAN

ipsec_policy

IPSEC_POLICY(8) 						  [FIXME: manual]						   IPSEC_POLICY(8)

NAME

       ipsec_policy - list of existing policy

SYNOPSIS

       ipsec policy

DESCRIPTION

       Note that policy is only supported on the new NAST stack. It is not supported on any other stack. On the klips stack, use ipsec eroute, on
       the netkey stack, use ip xfrm

       lists the IPSEC policy tables (aka eroutes) which control what (if any) processing is applied to non-encrypted packets arriving for IPSEC
       processing and forwarding.

       A table entry consists of:

       +
	   packet count,

       +
	   source address with mask and source port (0 if all ports or not applicable)

       +
	   a '->' separator for visual and automated parsing between src and dst

       +
	   destination address with mask and destination port (0 if all ports or not applicable)

       +
	   a '=>' separator for visual and automated parsing between selection criteria and SAID to use

       +
	   SAID (Security Association IDentifier), comprised of:

       +
	   protocol (proto),

       +
	   address family (af), where '.' stands for IPv4 and ':' for IPv6

       +
	   Security Parameters Index (SPI),

       +
	   effective destination (edst), where the packet should be forwarded after processing (normally the other security gateway) together
	   indicate which Security Association should be used to process the packet,

       +
	   a ':' separating the SAID from the transport protocol (0 if all protocols)

       +
	   source identity text string with no whitespace, in parens,

       +
	   destination identity text string with no whitespace, in parens

       Addresses are written as IPv4 dotted quads or IPv6 coloned hex, protocol is one of "ah", "esp", "comp" or "tun" and SPIs are prefixed
       hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6

       SAIDs are written as "protoafSPI@edst". There are also 5 "magic" SAIDs which have special meaning:

       +
	   %drop means that matches are to be dropped

       +
	   %reject means that matches are to be dropped and an ICMP returned, if possible to inform

       +
	   %trap means that matches are to trigger an ACQUIRE message to the Key Management daemon(s) and a hold policy will be put in place to
	   prevent subsequent packets also triggering ACQUIRE messages.

       +
	   %hold means that matches are to stored until the policy is replaced or until that policy gets reaped

       +
	   %pass means that matches are to allowed to pass without IPSEC processing

EXAMPLES

       1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => tun0x130@192.168.43.1:0

	() ()

       means that 1,867 packets have been sent to an policy that has been set up to protect traffic between the subnet 172.31.252.0 with a subnet
       mask of 24 bits and the default address/mask represented by an address of 0.0.0.0 with a subnet mask of 0 bits using the local machine as a
       security gateway on this end of the tunnel and the machine 192.168.43.1 on the other end of the tunnel with a Security Association
       IDentifier of tun0x130@192.168.43.1 which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a Security Parameters Index of
       130 in hexadecimal with no identies defined for either end.

       746 192.168.2.110/32:0 -> 192.168.2.120/32:25 => esp0x130@192.168.2.120:6

	() ()

       means that 746 packets have been sent to an policy that has been set up to protect traffic sent from any port on the host 192.168.2.110 to
       the SMTP (TCP, port 25) port on the host 192.168.2.120 with a Security Association IDentifier of tun0x130@192.168.2.120 which means that it
       is a transport mode connection with a Security Parameters Index of 130 in hexadecimal with no identies defined for either end.

       125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () ()

       means that 125 packets have been sent to an policy that has been set up to protect traffic between the subnet 3049:1:: with a subnet mask
       of 64 bits and the default address/mask represented by an address of 0:0 with a subnet mask of 0 bits using the local machine as a security
       gateway on this end of the tunnel and the machine 3058:4::5 on the other end of the tunnel with a Security Association IDentifier of
       tun:130@3058:4::5 which means that it is a tunnel mode connection with a Security Parameters Index of 130 in hexadecimal with no identies
       defined for either end.

       42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough

       means that 42 packets have been sent to an policy that has been set up to pass the traffic from the subnet 192.168.6.0 with a subnet mask
       of 24 bits and to subnet 192.168.7.0 with a subnet mask of 24 bits without any IPSEC processing with no identies defined for either end.

       2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) ()

       means that 2112 packets have been sent to an policy that has been set up to hold the traffic from the host 192.168.8.55 and to host
       192.168.9.47 until a key exchange from a Key Management daemon succeeds and puts in an SA or fails and puts in a pass or drop policy
       depending on the default configuration with the local client defined as "east" and no identy defined for the remote end.

       2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 =>

	esp0xe6de@192.168.2.120:0 () ()

       means that 2001 packets have been sent to an policy that has been set up to protect traffic between the host 192.168.2.110 and the host
       192.168.2.120 using 192.168.2.110 as a security gateway on this end of the connection and the machine 192.168.2.120 on the other end of the
       connection with a Security Association IDentifier of esp0xe6de@192.168.2.120 which means that it is a transport mode connection with a
       Security Parameters Index of e6de in hexadecimal using Encapsuation Security Payload protocol (50, IPPROTO_ESP) with no identies defined
       for either end.

       1984 3049:1::110/128 -> 3049:1::120/128 =>

	ah:f5ed@3049:1::120 () ()

       means that 1984 packets have been sent to an policy that has been set up to authenticate traffic between the host 3049:1::110 and the host
       3049:1::120 using 3049:1::110 as a security gateway on this end of the connection and the machine 3049:1::120 on the other end of the
       connection with a Security Association IDentifier of ah:f5ed@3049:1::120 which means that it is a transport mode connection with a Security
       Parameters Index of f5ed in hexadecimal using Authentication Header protocol (51, IPPROTO_AH) with no identies defined for either end.

SEE ALSO

       ipsec(8), ipsec_tncfg(5), ipsec_spi(5), ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5), ipsec_pf_key(5),
       ipsec_eroute(5)

HISTORY

       Written for the Openswan project <http://www.openswan.org/> by Bart Trojanowski.

[FIXME: source] 						    10/06/2010							   IPSEC_POLICY(8)
All times are GMT -4. The time now is 01:33 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy