Questions

Adding Router to Insulate Server From Internet Traffic

Tags:
+
0 Votes
Locked

Adding Router to Insulate Server From Internet Traffic

Starry997
Currently, I have 2 Linksys BEFXS41 Routers at two locations talking to each other via VPN, and that is working fine. But, ever since I installed that, replacing an older Linksys BEFSR11 Router, users have been getting knocked off our HP3000 server about once a day. One person suggested that I install a router in front of the HP3000 to insolate it from all the network traffic that doesn't involve it. The HP is an older computer and he thinks that all the Internet-related traffic is overwhelming it. The network IP addresses are 192.168.1.X with a mask of 255.255.255.0.

How would I setup the router on the HP3000 so that everyone on our network (and site 2) would still have access to it? Do I need to go to a mask of 255.255.0.0 in order to make sure that the HP3000 can get to the rest of the network (including printers at site 1 and 2) and everyone can Telnet to the HP3000 (including site 2)?

I was going to try using the Linksys BEFSR11 that I still have as the router, but I noticed that it requires the mask to be 255.255.255.x. Seems like when I was playing around with it, I could get to the main network, but I was invisible to everyone on the main network. Do I need a more expensive router that will give me more flexibility with the mask? Do I need to change the whole network IP addressing that I use?
  • +
    0 Votes
    woodyn

    Are you sure the new router does not time out the users ? Real issue I would investigate is are they knocked off the server or the router due to time outs form one or the other. Also check your Server
    for which "program" users are being locked out of , may be exceding licences.

    +
    0 Votes
    Starry997

    I agree that the core issue is that users are getting knocked off of Telnet. There is no license issue involved, since they can get right back on and are fine the rest of the day. If it were a license issue on the HP3000, it would simply not allow a logon. There is no license issue on Telnet. I have no idea how to find out whether timeouts are involved or what to do about it if they are. And the actual real problem might be something totally different. But it was working just fine before I changed the router...that is the only for sure thing about all this.

    I'm still leaning toward at least trying to shield the HP3000 from all the other traffic, which gets me back to my original question of how to make that 2nd router work. I will be the first to admit that it may not work, but it is worth a try. If it works, it would just be masking the real problem, whatever that might be...but it would be working.

    +
    0 Votes
    gary.stephens

    Hi Thula, I have many years on HP3000, did you resolve this in the end ? If not let me know I may be able to help
    rgds
    Gary

    +
    0 Votes
    Starry997

    No, I never did find a way to do what I wanted and the problem is actually very irritating for those affected, even though, at most, it happens once a day. I was getting some help changing parameters and loading patches from Beechglen, but that never made a difference. It affects about 2 people on a continuing basis and affects most everyone else once a month or so...I experimented with using a Linksys router we have laying around, but couldn't get anywhere. It's the cheaper type that are limited to a mask of 255.255.255.0 Would consider more expensive equipment, as long as I still had the VPN capability built-in.

    +
    0 Votes
    gary.stephens

    ok, there is a general feeling out there about the hp3000 and its resilience or otherwise, most of it comes from people who do not understand the 3000!I have run these boxes for over 20 years for some fairly large companies, 3-4000 users accross 150 + machines. I would personaly try a few things, appologies if some sound lame but you have more info than me ;-)
    1 Does this only happen in 1 app ?
    2 On the console, are you seeing many network errors when the person is diconnected.
    3 What connection protocols are you using, ie Telnet etc ?
    4 What version of the OS and Power/Reactive Patch?
    5 A couple of tests to isolate the problem, Create an account and group (dont use pub) and user. Set both with minimum caps ie IA,etc I am assuming you do not have access to the remote site so getting a user to logon with these should not present a great security risk as the most they can do is list the local file set, which will be empty. See if the user is able to be left logged on, for the day or not. If not, this would definately point towards a nework related problem, at least it would rule out the progy being at fault. It might sound a waste of time bu tI have spent many an hour looking for a problem caused by a programmer who had chnaged something totlay insignificant without telling the Ops dept.

    There have been a few problems over the years with Telnet connections but most were fixed on 7.0 with the latest PP. The other thing you could check is2 Heartbeat losses. The command to check is "linkcontrol @;status=all"

    Assuming you are using Telnet, what emulator, Reflections etc and version are you using ?

    If using a DTC what type ?

    If you run a continuous ping from the pc to the 3000 do you loose connectivity at the same time, or does the ping remain ? I have seen this many times, solution, use VT100 and see if that cracks it.

    Sorry if I ramble on there are a few other things you could try but check out the aboe 1st, post back or send me a pm.,
    cheers
    gary

    +
    0 Votes
    Starry997

    I don't know what has changed (if anything), but the one person that usually has this problem hasn't had a problem for a week and a half and no one else has had the problem for at least 3 weeks. If there is an application problem, it will be tough to track down, since the person who had this problem the most runs 4 sessions and in most of the sessions, is several process layers deep. She logs on to our mpex menu and then selects a Powerhouse application and then from within that, executes a deeper process that brings up our mpex security menu again to execute yet another application...and apparently travels up and down the process layers to get to the screens she wants to use. Perhaps she is single-handedly responsible for this problem?

    1 - Can't pinpoint a single application
    2 - I'm not seeing network errors on console related to this at all. I had someone at Beechglen go over the console log based on when it was happening, and there were no apparent problems in the log at all, other than the disconnect.
    3 - Using Telnet
    4 - Operating system is 7.0 PP1
    5 - I will keep this in reserve...I wonder, though...I could, as a test, exclude the ability of this one user from going down so many process layers...give her more sessions if she needs them. Perhaps she is singlehandedly responsible? I don't remember when she started doing this (been a long time), but I do remember that she was limited to 2 sessions at one time and then 3 and now she is at 4 sessions. The thing that has changed recently for her is adding another monitor and she has (she says) been using the layering less. So, it is looking to me like the problem is an application one, of sorts, based on how this one user has be using (abusing) the HP. I talked to her about it and she is going to try not using the layering ability.

    So, I don't think the problem was with Telnet at all, per se. Is it possible for a single Telnet connection to be overwhelmed by so much use of resource? I don't know. But it is looking like that is the smoking gun.

    +
    0 Votes

    I hope it is OK to ask a few questions. I was wondering if you could go into more detail about the network topology as it may have a bearing on the problem. Also are the routers the only change that you made? If so I do not see where that would create a different situation for the HP3000. Sorry if I am missing something. Also could you explain what Internet traffic you are referring to?

    Putting the HP3000 on a different subnet is very doable, but it will require adding static routes to VPN routers so the traffic will get sent to the new router upstream of the HP3000.

    +
    0 Votes
    Starry997

    At our main site, we have a Comcast portal with a static IP address. Connected to the Comcast Router/Modem, is a Linksys VPN Router (BEFSX41) which everything else is connected to. The router is also the DHCP server. There are 20 or so workstations (mostly WinXP)and a number of printers set up primarily through HP print servers. There are a number of unmanaged switches and one managed switch. The only other thing I did at the time I put the VPN router in was to make sure all workstations were at 100 Mbps. Some of the workstations were still at the original 10 Mbps. At the time, all switches were unmanaged. The internal addresses are at 192.168.1.x 255.255.255.0 ... site 2 is set up as 192.168.2.x 255.255.255.0 . The HP3000 is a Series A400 with a direct connect of the 3000 to a switch. The remaining DTC connections used to come into a hub with BNC port, but now comes through an Ethernet converter directly to a LAN connection. I'm not sure what information you want. I have a graphic chart that shows all connections, but I'd rather not share that. My original attempt was to set the original Linksys router we used to use to 192.168.3.x and I also tried setting it to 192.168.1.x. I am still convinced that it is all about the numbers and how I have it set up, but I am not a LAN guru by any means.

  • +
    0 Votes
    woodyn

    Are you sure the new router does not time out the users ? Real issue I would investigate is are they knocked off the server or the router due to time outs form one or the other. Also check your Server
    for which "program" users are being locked out of , may be exceding licences.

    +
    0 Votes
    Starry997

    I agree that the core issue is that users are getting knocked off of Telnet. There is no license issue involved, since they can get right back on and are fine the rest of the day. If it were a license issue on the HP3000, it would simply not allow a logon. There is no license issue on Telnet. I have no idea how to find out whether timeouts are involved or what to do about it if they are. And the actual real problem might be something totally different. But it was working just fine before I changed the router...that is the only for sure thing about all this.

    I'm still leaning toward at least trying to shield the HP3000 from all the other traffic, which gets me back to my original question of how to make that 2nd router work. I will be the first to admit that it may not work, but it is worth a try. If it works, it would just be masking the real problem, whatever that might be...but it would be working.

    +
    0 Votes
    gary.stephens

    Hi Thula, I have many years on HP3000, did you resolve this in the end ? If not let me know I may be able to help
    rgds
    Gary

    +
    0 Votes
    Starry997

    No, I never did find a way to do what I wanted and the problem is actually very irritating for those affected, even though, at most, it happens once a day. I was getting some help changing parameters and loading patches from Beechglen, but that never made a difference. It affects about 2 people on a continuing basis and affects most everyone else once a month or so...I experimented with using a Linksys router we have laying around, but couldn't get anywhere. It's the cheaper type that are limited to a mask of 255.255.255.0 Would consider more expensive equipment, as long as I still had the VPN capability built-in.

    +
    0 Votes
    gary.stephens

    ok, there is a general feeling out there about the hp3000 and its resilience or otherwise, most of it comes from people who do not understand the 3000!I have run these boxes for over 20 years for some fairly large companies, 3-4000 users accross 150 + machines. I would personaly try a few things, appologies if some sound lame but you have more info than me ;-)
    1 Does this only happen in 1 app ?
    2 On the console, are you seeing many network errors when the person is diconnected.
    3 What connection protocols are you using, ie Telnet etc ?
    4 What version of the OS and Power/Reactive Patch?
    5 A couple of tests to isolate the problem, Create an account and group (dont use pub) and user. Set both with minimum caps ie IA,etc I am assuming you do not have access to the remote site so getting a user to logon with these should not present a great security risk as the most they can do is list the local file set, which will be empty. See if the user is able to be left logged on, for the day or not. If not, this would definately point towards a nework related problem, at least it would rule out the progy being at fault. It might sound a waste of time bu tI have spent many an hour looking for a problem caused by a programmer who had chnaged something totlay insignificant without telling the Ops dept.

    There have been a few problems over the years with Telnet connections but most were fixed on 7.0 with the latest PP. The other thing you could check is2 Heartbeat losses. The command to check is "linkcontrol @;status=all"

    Assuming you are using Telnet, what emulator, Reflections etc and version are you using ?

    If using a DTC what type ?

    If you run a continuous ping from the pc to the 3000 do you loose connectivity at the same time, or does the ping remain ? I have seen this many times, solution, use VT100 and see if that cracks it.

    Sorry if I ramble on there are a few other things you could try but check out the aboe 1st, post back or send me a pm.,
    cheers
    gary

    +
    0 Votes
    Starry997

    I don't know what has changed (if anything), but the one person that usually has this problem hasn't had a problem for a week and a half and no one else has had the problem for at least 3 weeks. If there is an application problem, it will be tough to track down, since the person who had this problem the most runs 4 sessions and in most of the sessions, is several process layers deep. She logs on to our mpex menu and then selects a Powerhouse application and then from within that, executes a deeper process that brings up our mpex security menu again to execute yet another application...and apparently travels up and down the process layers to get to the screens she wants to use. Perhaps she is single-handedly responsible for this problem?

    1 - Can't pinpoint a single application
    2 - I'm not seeing network errors on console related to this at all. I had someone at Beechglen go over the console log based on when it was happening, and there were no apparent problems in the log at all, other than the disconnect.
    3 - Using Telnet
    4 - Operating system is 7.0 PP1
    5 - I will keep this in reserve...I wonder, though...I could, as a test, exclude the ability of this one user from going down so many process layers...give her more sessions if she needs them. Perhaps she is singlehandedly responsible? I don't remember when she started doing this (been a long time), but I do remember that she was limited to 2 sessions at one time and then 3 and now she is at 4 sessions. The thing that has changed recently for her is adding another monitor and she has (she says) been using the layering less. So, it is looking to me like the problem is an application one, of sorts, based on how this one user has be using (abusing) the HP. I talked to her about it and she is going to try not using the layering ability.

    So, I don't think the problem was with Telnet at all, per se. Is it possible for a single Telnet connection to be overwhelmed by so much use of resource? I don't know. But it is looking like that is the smoking gun.

    +
    0 Votes

    I hope it is OK to ask a few questions. I was wondering if you could go into more detail about the network topology as it may have a bearing on the problem. Also are the routers the only change that you made? If so I do not see where that would create a different situation for the HP3000. Sorry if I am missing something. Also could you explain what Internet traffic you are referring to?

    Putting the HP3000 on a different subnet is very doable, but it will require adding static routes to VPN routers so the traffic will get sent to the new router upstream of the HP3000.

    +
    0 Votes
    Starry997

    At our main site, we have a Comcast portal with a static IP address. Connected to the Comcast Router/Modem, is a Linksys VPN Router (BEFSX41) which everything else is connected to. The router is also the DHCP server. There are 20 or so workstations (mostly WinXP)and a number of printers set up primarily through HP print servers. There are a number of unmanaged switches and one managed switch. The only other thing I did at the time I put the VPN router in was to make sure all workstations were at 100 Mbps. Some of the workstations were still at the original 10 Mbps. At the time, all switches were unmanaged. The internal addresses are at 192.168.1.x 255.255.255.0 ... site 2 is set up as 192.168.2.x 255.255.255.0 . The HP3000 is a Series A400 with a direct connect of the 3000 to a switch. The remaining DTC connections used to come into a hub with BNC port, but now comes through an Ethernet converter directly to a LAN connection. I'm not sure what information you want. I have a graphic chart that shows all connections, but I'd rather not share that. My original attempt was to set the original Linksys router we used to use to 192.168.3.x and I also tried setting it to 192.168.1.x. I am still convinced that it is all about the numbers and how I have it set up, but I am not a LAN guru by any means.