Hi Patrick,

you are firewalled somewhere because the services are reported as "filtered" by nmap without firewall they'd be reported as "close" if nothing is listening on the port. The firewall makes it difficult to debug from remote.

aforti@vm26>nmap -P0 -p 2135,2170,443,3811 grid-arc-01.hpc.susx.ac.uk

Starting Nmap 6.40 ( http://nmap.org ) at 2019-11-29 13:48 GMT

aforti@vm26>nmap -P0 -p 2135,2170,443,2811 grid-arc-01.hpc.susx.ac.uk

Starting Nmap 6.40 ( http://nmap.org ) at 2019-11-29 13:48 GMT
Nmap scan report for grid-arc-01.hpc.susx.ac.uk (139.184.80.44)
Host is up.
PORT     STATE    SERVICE
443/tcp  filtered https
2135/tcp filtered gris
2170/tcp filtered eyetv
2811/tcp filtered gsiftp

Nmap done: 1 IP address (1 host up) scanned in 3.05 seconds

On 29/11/2019 14:32, Patrick Smith wrote:
[log in to unmask]">
Hi Alessandra,

My firewall ports that are open on the CE are below:

rich rules: 
    rule family="ipv4" port port="6445" protocol="tcp" accept
    rule family="ipv4" port port="2135" protocol="tcp" accept
    rule family="ipv4" port port="2811" protocol="tcp" accept
    rule family="ipv4" port port="443" protocol="tcp" accept
    rule family="ipv4" port port="9000-9300" protocol="tcp" accept
    rule family="ipv4" port port="9000-9300" protocol="udp" accept
    rule family="ipv4" port port="8443" protocol="tcp" accept
    rule family="ipv4" port port="2170" protocol="tcp" accept

Our perimeter firewall might be blocking access from outside but I am connecting from the local network and still getting the same issues so I don't believe it is a firewall issue.  I have temporarily turned the firewall off on the ARC CE server if you want to try again?

I am using firewalld rather than IP tables as it is CentOS7.

Thanks
Patrick
From: Testbed Support for GridPP member institutes [[log in to unmask]] on behalf of Gareth Roy [[log in to unmask]]
Sent: 29 November 2019 13:31
To: [log in to unmask]
Subject: Re: ARC CE6/LCMAPS/BDII

Hi Partrick,

 

I’ve not seen that error before, if I try and contact your CE from externally I can’t get access to it on 443 or 2135 (for ldap) so there may still be firewall issues somewhere.

 

If you try a:

 

arcinfo -d DEBUG -c grid-arc-01.hpc.susx.ac.uk

 

It will try and contact all of the standard endpoints to gather info and print out a large amount of information about it… We don't actually have a 443 endpoint up at Glasgow, for instance if you try:


[vagrant@localhost vagrant]$ arcinfo -c ce01.gla.scotgrid.ac.uk:443/arex

ERROR: Failed to retrieve information from the following endpoints:
  ce01.gla.scotgrid.ac.uk:443/arex


but:


[vagrant@localhost vagrant]$ arcinfo -c ce01.gla.scotgrid.ac.uk

Computing service:  (production)
  Submission endpoint: https://ce01.gla.scotgrid.ac.uk:443/arex (status: critical, interface: org.nordugrid.arcrest)
  Submission endpoint: https://ce01.gla.scotgrid.ac.uk:443/arex (status: critical, interface: org.ogf.glue.emies.activitycreation)
  Submission endpoint: gsiftp://ce01.gla.scotgrid.ac.uk:2811/jobs (status: ok, interface: org.nordugrid.gridftpjob)

As it's actually scraping data from the ldap endpoint.


The -d DEBUG flag should hopefully give you more info to try and see what's going on. You could also see if there is an upstream filter blocking traffic.


Thanks,


Gareth

 

 

 

From: Testbed Support for GridPP member institutes <[log in to unmask]> On Behalf Of Patrick Smith
Sent: 29 November 2019 12:41
To: [log in to unmask]
Subject: ARC CE6/LCMAPS/BDII

 

Hello,

 

I have setup our ARC CE6/LCMAPS/BDII but get the following error when I try to test it remotely.  Has anyone seen this before?  I don't appear to have any SSL certificates installed in the usual places.

Thanks

Patrick

 

$ arcinfo -c grid-arc-01.hpc.susx.ac.uk/arex
ERROR: Failed to retrieve information from the following endpoints:
  grid-arc-01.hpc.susx.ac.uk/arex (Fault received from https://grid-arc-01.hpc.susx.ac.uk:443/arex: Failed to send SOAP message: TLS: GENERIC_ERROR (SSL error, "sslv3 alert certificate expired", in "SSL3_READ_BYTES" function, at "SSL routines" library, with "decryption failed" alert))
 
$ arcinfo -c grid-arc-01.hpc.susx.ac.uk/arex
ERROR: Failed to retrieve information from the following endpoints:
  grid-arc-01.hpc.susx.ac.uk/arex (Fault received from https://grid-arc-01.hpc.susx.ac.uk:443/arex: Not authorized: GENERIC_ERROR (Security error: 1))

 

on grid-arc-01.hpc.susx.ac.uk:

----------------------------------------------------------------------------------------------------------------

 

# arcctl service list
arc-acix-index                   (Not installed, Disabled, Stopped)
arc-acix-scanner                 (Not installed, Disabled, Stopped)
arc-arex                         (Installed, Enabled, Running)
arc-datadelivery-service         (Not installed, Disabled, Stopped)
arc-gridftpd                     (Installed, Enabled, Running)
arc-infosys-ldap                 (Installed, Enabled, Running)

----------------------------------------------------------------------------------------------------------------

arc-gridftpd.service - ARC gridftpd
   Loaded: loaded (/usr/lib/systemd/system/arc-gridftpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-11-28 16:11:27 GMT; 19h ago

 

arc-arex.service - ARC Resource-coupled EXecution service
   Loaded: loaded (/usr/lib/systemd/system/arc-arex.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-11-28 16:11:32 GMT; 19h ago

----------------------------------------------------------------------------------------------------------------

  rich rules: 
    rule family="ipv4" port port="6445" protocol="tcp" accept
    rule family="ipv4" port port="2135" protocol="tcp" accept
    rule family="ipv4" port port="2811" protocol="tcp" accept
    rule family="ipv4" port port="443" protocol="tcp" accept
    rule family="ipv4" port port="9000-9300" protocol="tcp" accept
    rule family="ipv4" port port="9000-9300" protocol="udp" accept
    rule family="ipv4" port port="8443" protocol="tcp" accept
    rule family="ipv4" port port="2170" protocol="tcp" accept

----------------------------------------------------------------------------------------------------------------

/etc/grid-security/hostcert.pem:

 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 56252 (0xdbbc)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=UK, O=eScienceCA, OU=Authority, CN=UK e-Science CA 2B
        Validity
            Not Before: Sep 30 14:46:02 2019 GMT
            Not After : Oct 29 14:46:02 2020 GMT
        Subject: C=UK, O=eScience, OU=Sussex, L=PhysicsAndAstronomy, CN=grid-arc-01.hpc.susx.ac.uk

 

To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1


To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1


To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1 


-- 
Inference: a conclusion reached on the basis of evidence and reasoning
Respect is a rational process. \\//
For Ur-Fascism, disagreement is treason. (U. Eco)

To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1