Backup and restore operation fail with status 25 when multi-homed Windows 2008 clients have stronghost enabled

Backup and restore operation fail with status 25 when multi-homed Windows 2008 clients have stronghost enabled

Article: 100019161
Last Published: 2013-04-16
Ratings: 0 0
Product(s): NetBackup

Problem

Backup and restore operation for Windows 2008 clients fail with status 25 when the host is multi-homed and the master or media servers are on the same multiple network segments and using either REQUIRED_INTERFACE or the Source setting on PREFERRED_NETWORK.

Error Message

<16> bpcd main: read failed: An existing connection was forcibly closed by the remote host.

Solution

Overview:

The default configuration for Windows 2008 requires that network traffic must travel on the expected network per the strong host model as documented in RFC 1122.  This is a security mechanism which can cause backup or restore failures if the NetBackup server configuration includes REQUIRED_INTERFACE or PREFERRED_NETWORK options that restrict the source interfaces .

When connecting to the remote host, the transmitting host will utilize the local routing configuration to select the outbound network interface for the outbound packet.  But if REQUIRED_INTERFACE or PREFERRED_NETWORK  is configured to prohibit or select source interfaces, the source IP address within the packet will be derived from the specified hostname. 

The remote host will receive the inbound connection and present the data to the application, but may then close the socket if these conditions are met.
 
  • The receiving host has a network interface on the same network as the REQUIRED_INTERFACE or PREFERRED_NETWORK  of the transmitting host.
  • The packet was received on a different network interface.
  • The receiving host is configured for the strong host model.
If closed, the application layer on both hosts will receive an error when the expected data cannot be sent or received.  The operating system may also mask the destination IP address from the receiving application if the integrity of the packet source is suspect.

Troubleshooting:

Check the NetBackup logs and confirm that the sockets are established, but then removed within a few milliseconds before utilized by the application.  The getsockname system call may also return '0.0.0.0' for the local IP address if the receiving network interface was not on the expected network.

Log Files:

This bpcd log shows a connection that was received by bpcd, but was already closed when the application tried to read the data that should have been presented along with the connection.  Notice that the destination IP address is 0.0.0.0, indicating that although the source IP address is 192.168.1.2, it was received on a network interface other than 192.168.1.0.

13:22:51.186 [8588.2032] <2> logconnections: BPCD ACCEPT FROM 192.168.1.2.592 TO 0.0.0.0.13782
...snip...
13:22:51.201 [8588.2032] <2> bpcd peer_hostname: Connection from host nbu-mm (192.168.1.2) port 592
...snip...
13:22:51.217 [8588.2032] <4> bpcd valid_server: hostname comparison succeeded
13:22:51.217 [8588.2032] <16> bpcd main: read failed: An existing connection was forcibly closed by the remote host.  

This vnetd log shows a connection that was received by vnetd, but was already closed when the application tried to read the vnetd version number from the socket, VN_STATUS_CONNECT_RESET = 43.

13:22:30.188 [9928.5332] <2> ProcessRequests: .\vnetd.c.281: msg: VNETD ACCEPT FROM 192.168.1.2.37634 TO 0.0.0.0.13724 fd = 556
13:22:30.188 [9928.5332] <2> vnet_pop_byte: ..\libvlibs\vnet.c.184: errno: 10054 0x00002746
13:22:30.188 [9928.5332] <2> vnet_pop_byte: ..\libvlibs\vnet.c.186: Function failed: 43 0x0000002b
13:22:30.188 [9928.5332] <2> vnet_pop_string: ..\libvlibs\vnet.c.266: Function failed: 43 0x0000002b
13:22:30.188 [9928.5332] <2> vnet_pop_signed: ..\libvlibs\vnet.c.310: Function failed: 43 0x0000002b
13:22:30.188 [9928.5332] <2> vnet_version_accept: .\vnetd.c.1102: Function failed: 43 0x0000002b
13:22:30.188 [9928.5332] <2> ProcessRequests: .\vnetd.c.285: version_accept failed: 43 0x0000002b
13:22:30.188 [9928.5332] <2> ListenForConnection: .\vnetd.c.586: Function failed: 43 0x0000002b
13:22:30.188 [9928.5332] <16> main: Terminating with status 43

This bpbrm log is only verbose 1, but shows a connection was attempted to bpcd on the client via vnetd.  The connection reaches the remote host, but attempts to read the socket options were not successful as the socket was never fully established.  Consequently bpbrm suffers a timeout (errno 145 = ETIMEDOUT, VN_STATUS_CONNECT_FAILED = 18) and fails the operation with status 25.

13:21:59.400 [17203] <2> vnet_async_connect: vnet_vnetd.c.4217: getsockopt SO_ERROR returned: 145 0x00000091
13:22:09.410 [17203] <2> vnet_async_connect: vnet_vnetd.c.4019: connect in progress: 0 0x00000000
13:22:19.419 [17203] <2> vnet_async_connect: vnet_vnetd.c.4217: getsockopt SO_ERROR returned: 145 0x00000091
13:22:30.428 [17203] <2> vnet_async_connect: vnet_vnetd.c.4019: connect in progress: 1 0x00000001
13:23:16.425 [17203] <2> vnet_async_connect: vnet_vnetd.c.3801: ran out of time before connect: 302 0x0000012e
13:23:16.426 [17203] <2> vnet_async_connect: vnet_vnetd.c.3801: ran out of time before connect: 302 0x0000012e
13:23:16.426 [17203] <2> vnet_connect_to_service_or_vnetd: vnet_vnetd.c.3570: vnet_async_connect failed: 18 0x00000012
13:23:16.426 [17203] <2> nb_connect_to_vnetd_or_legacy: comm.c.2030: vnet_connect_to_vnetd_or_service failed: 18
13:23:16.426 [17203] <2> local_bpcr_connect: nb_connect_to_vnetd_service(nbu-client) failed: 25
13:23:16.426 [17203] <2> local_bpcr_connect: Can't connect to client nbu-client
13:23:16.426 [17203] <2> ConnectToBPCD: bpcd_connect_and_verify(nbu-client, nbu-client) failed: 25
13:23:16.426 [17203] <16> bpbrm start_bpcd_stat: timed out trying to connect to nbu-client

Resolution:

This situation is best resolved by configuring NetBackup to use host names that resolve to IP addresses associated with the desired network paths.  This eliminates the need to configure REQUIRED_INTERFACE or PREFERRED_NETWORK and the transmitted packets will not conflict with the strong host model.

In those instances where it is necessary to configure NetBackup to connect to a host over one network (e.g. public.domain.com)  but utilize required interface to ensure that return traffic is over a different network (e.g. backup.domain.com), then the strong host model must be disabled or the weak host model must be enabled.

This can be accomplished on Windows 2008 using the following commands.

netsh interface ipv4 set interface [InterfaceNameOrIndex] weakhostsend=enable
netsh interface ipv4 set interface [InterfaceNameOrIndex] weakhostreceive=enable
netsh interface ipv4 show interface [InterfaceNameOrIndex]


Additional information is available from these Microsoft TechNet articles;
https://technet.microsoft.com/en-us/magazine/cc137807.aspx 
https://technet.microsoft.com/en-us/magazine/2007.09.cableguy.aspx

Please also see the Related Articles.
 

Was this content helpful?