SLP Directory Agent (port 427) - internal network goes down

Question

Level 1

0 points

SLP Directory Agent (port 427) - internal network goes down

Due to some VPN problems with corporate headquarters, I had to switch out my current firewall (Instagate EX2) with a new SonicWall. Whenever we tried to switchover to the new SonicWall, my entire internal network went down. I was not able to login to the different Xserves for their appropriate services. Examples included the email server, FTP server, and a special application server we use for news editing. All Xserves run OS X Server 10.4. Our clients range from PowerMacs to Mac Minis and Mac Pros - all running OSX 10.4 with a few running 10.3. Symptoms of problems include when trying to connect to the email server, it just sits saying "Connecting to 10.1.2.x...", same thing for the FTP services. The newsroom software, that usually takes a 1 - 2 seconds to log into, then takes 45 seconds or so. Several techs looked at the problem without any suggestions about what to do to fix it.

We have a Juniper Netscreen router provided by our ISP that connects to the Instagate firewall and to the network itself. Upon looking at the logs, it was discovered that the OS X stations IPs were using a port 427 - which is used by SLP. One of the techs said that is what is taking our network down when we disconnect the Instagate router from the network (because it evidently is passing this SLP traffic onto the Netscreen router). So when the Netscreen router comes off the network, none of the services on the Xserves work because of this. They said I needed to disable the port 427 on the Netscreen, but if I do this, isn't this having the same effect as taking the network down. Then it was told to me to setup a Directory Agent to handle this traffic. But they didn't provide any instructions to me on how to setup this up on the network or on OS X Server.

Does anyone have any guidance or suggestions regarding this?

Thanks,
G

Mac Pro, Mac OS X (10.4.11)

Posted on Jan 7, 2009 11:04 AM

Reply

Answer 1

Grayson_S Author

Level 1

0 points

Jan 10, 2009 4:14 PM in response to Grayson_S

I had the ISP's tech in today with proper network analysis software to see what's going on.

We discovered that it is not SLP that is causing problems as one tech had suggested. Anytime that the internet access was disconnected from the network, the access to services on the OS X Servers go down or are extremely slow. So we began to look at the DNS entries and realized if we removed DNS then the servers refused access, if DNS entries were made (using OpenDNS), then the servers work.

For example, we use the mail server component of OS X Server 10.4 for our email services. We cannot access the internal server (via IP) without the XServe having an entry in DNS. Put in OpenDNS servers, and things work like they should. The same scenario applies to any services (FTP, NewsEdit, etc.) that's on the OS X Servers. I guess what I'm not understanding is why does everything work internally as long as the OS X Servers have something listed for DNS - even though the DNS is an external DNS IP? Because it is external outside of the network, it's not like the mail server or clients are resolving the private IPs (which there's nothing to resolve since use IP numbers for connection purposes).

Reply

Answer 2

Jan 11, 2009 4:57 AM in response to Grayson_S

Many OS X services need a correctly setup DNS for forward and reverse lookups.

If the server/LAN use private IPs you need a private IP DNS.

The server and clients should use only this private IP DNS to find services on the server and LAN as it is the only one knowing about your private IP LAN names and IPs.

This private IP DNS also usually act as the DNS for public IP name/IP lookups and you often use your ISP DNS servers as forwarders in the DNS server to get faster DNS replies for public IPs/names lookups.

Reply