Reset Search
 

 

Article

Netsight server doesn't start its services - firewall in the path to Internet

« Go Back

Information

 
TitleNetsight server doesn't start its services - firewall in the path to Internet
Symptoms
Netsight server restarted, successfully reboots.
Oneview and other web-based Netsight apps are working as expected.
Thick (Java) clients like Console and other java-based apps do open, login-page comes up and after using the credentials the following message pops up: "The server has not started yet, please try again later."
Environment
Netsight: 7.0.6.x or earlier
Firewall: Fortigate
 
Cause
One of the Netsight suite components is a scanning vulnerability agent (Saint). At every server restart the system tries to update with new vulnerability definitions put up for Saint on Extreme's website. Such an URL is http://www.enterasys.com/netsight-renew/netsight-saint/6.3.0/saint_update.xml 

There are two choices here: 
- Netsight has no Internet access, the request to that URL will time out (15sec) then JBoss server startup continues 
- Netsight has Internet access, opens a TCP connection to that URL and downloads the definitions if newer.

In order for the Java app (URL request) to time out the 3-way TCP handshake to that URL must not get responded to (SYN not followed by SYN/ACK) or TCP-SYN to get a Reject. 

What happened: 
- the firewall allowed the 3-way TCP handshake to complete then blocked everything else 
- The Java app that updates the Saint definitions has seen the URL connection was opened and awaited for data to continue 
- Unfortunately the Java app didn’t have a timeout of its own (like “close URL if no data received after X seconds”) so the Java app hung up in that state 
 
Resolution
1) Configure the firewall to block/reject any TCP attempt from Netsight 
2) or allow Netsight to access ports 80/443 to *.enterasys.com and  *.extremenetworks.com

As a safety measure against such issue occurring in the future, we modified our code to put a timeout on the Java app if data on an opened URL connection doesn’t come in.
This change was added to software version 7.0.8.34 or higher. 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255