3 Replies Latest reply: Feb 1, 2012 12:18 PM by Dave Smulsky RSS

    Multiple SGD Gateways to one SGD server - cannot connect

    Dave Smulsky
      I am having an issue bringing up a new SGDG.. We have all the certificates and gateways configured, but I seem to be running into the --security-gateway setting issue.

      Does anyone see an issue with this?

      Both SGD servers sit in a DMZ, which are NATTed 172.16.254.41 and 172.16.160.10, i have my SGD server NATTed to 172.16.(254/160).35 and I've tested both port 443 and 5307 from sgdusa2 and they can communicate fine.

      ./tarantella config edit --security-gateway "172.16.254.41:sgdg:sgdusa.XXXXXXXX.com:443;172.16.160.10:sgdg:sgdusa2.XXXXXXXXX.com:443;*:direct:amralbvdi01"

      My sgdusa (172.16.254.41) gateway works fine, but when I try to use my sgdusa2 gateway the client never connects and errors out with "Cannot connect to server amralbvdi01.XXXXXXX.com:5307"

      Thanks
      Dave
        • 1. Re: Multiple SGD Gateways to one SGD server - cannot connect
          user12629685
          There is nothing obviously wrong with the setting, so these suggestions are just to help identify the problem:

          1) Simplify: lose sgdusa
          "172.16.160.10:sgdg:sgdusa2.XXXXXXXXX.com:443;*:direct:amralbvdi01"

          2) Reverse the order:
          "172.16.160.10:sgdg:sgdusa2.XXXXXXXXX.com:443;172.16.254.41:sgdg:sgdusa.XXXXXXXX.com:443;*:direct:amralbvdi01"

          Do either of these change affect what happens?
          • 2. Re: Multiple SGD Gateways to one SGD server - cannot connect
            806512
            Dave wrote:

            ./tarantella config edit --security-gateway "172.16.254.41:sgdg:sgdusa.XXXXXXXX.com:443;172.16.160.10:sgdg:sgdusa2.XXXXXXXXX.com:443;*:direct:amralbvdi01"

            The delimiter in your command is invalid, separate each filter-spec entry with "comma's"

            Anyway, you do realize that the "IP addresses" you've specified in your filter-spec apply to "client" connections, not "gateway" connections, right?

            That is, a client with the ip address .41 will route through gateway sgdusa, a client connecting with ip address .10 will route through sgdusa2, and everyone else will connect directly to amralbvdi01 - not sure that's what you want.

            And why two gateways for one server? For a load-balanced deployment, you'll want a load-balancer, like:

            http://docs.oracle.com/cd/E19351-01/821-1924/bbjbbijh.html#bbjdeeeh
            • 3. Re: Multiple SGD Gateways to one SGD server - cannot connect
              Dave Smulsky
              According to http://docs.oracle.com/cd/E19351-01/821-1924/cgfjighe.html the filter-spec delimter is a ";", and not a comma.

              And yes, .42 is a DMZ IP for SGDUSA, and .10 is SGDUSA2's DMZ IP, so those are correct.

              We have two gateways because the gateways are in two different geographic locations, on different connections to the internet, so they are for geographic-connectivity reasons and not load balance.

              Given my delimiter is correct, am I missing something else?