Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-1010907.1
Update Date:2009-09-08
Keywords:

Solution Type  Problem Resolution Sure

Solution  1010907.1 :   Sun Fire[TM] V60x/V65x: BMC Port Conflict  


Related Items
  • Sun Fire V60x Server
  •  
  • Sun Fire V65x Server
  •  
  • Sun Fire V60x Compute Grid Rack System
  •  
Related Categories
  • GCS>Sun Microsystems>Servers>x64 Servers
  •  

PreviouslyPublishedAs
215049


Symptoms
Ports used by LAN management conflict with those needed by the Baseboard Management Center (BMC), causing timeouts and considerable waits in completing commands.
Other utilities such as Remote Shell (rsh) and NIS services may also produce "time out" errors under heavy load, if using the reserved BMC ports.

The ports in question are 623 and 664, although the "Sun Fire V60x Server and Sun Fire V65x Server Server Management Guide" also erroneously lists port 624 (crypto admin).

The ports are described as follows:

623 (26Fh) Aux Bus Shunt (Primary RMCP Port):  Hereon referred to as the Primary RMCP Port.  This port and the required RMCP messages must be provided to be conformant with the RMCP specifications.  There is a mandatory set of messages that are required to be supported on this port.  These messages are always sent  in the clear  so that system software can discover systems that have RMCP support.

664 (298h) Secure Aux Bus (Secondary RMCP Port):  Hereon referred to as the Secondary RMCP Port or Secure Port.  This port is only used when it is necessary to encrypt packets using an algorithm or specification that prevents also sending unencrypted packets from being transferred via the same port.  Since discovery requires sending in the clear RMCP Ping/Pong packets, the secondary port is used to transfer encrypted transfers while the primary port continues to support unencrypted packets.  An implementation that utilizes this port must still support the Primary RMCP Port and the required messages on that port in order to be conformant with the RMCP specifications.  Note that the common IPMI messaging protocols and authentication mechanisms in this specification do not use encrypted packets, therefore IPMI messaging does not need to use the secondary port.

BMC is part of the Intelligent Platform Management Interface (IPMI) and uses the Remote Monitoring and Control Protocol (RMCP).



Resolution
To avoid this problem, the following solutions can be implemented:
1. configure your services to block the use of UDP ports 623 and 664, or

2. use an alternate network interface for that traffic.

The GNU FreeIPMI Documentation site states the following in chapter 13 of their guide

13.1 Fencing IPMI IP ports
Append the following to /etc/services:
# BMC IPMI/RMCP services
rmcp    623/udp         # Aux Bus Shunt (Primary RMCP Port)
rmcps   664/udp         # Secure Aux Bus (Secondary RMCP Port)
BMC internally (at hardware level) uses the above   mentioned ports for sending RMCP/IPMI packets .  To avoid any confli[c]t [sic] with the BMC, [the] Operating System should make sure no other applications or services uses [sic] these ports for communication.  One easy way to do this is to start a simple daemon at the [sic] boot time that opens these ports but never uses them.
Secure connections to BMC port 664 is not enabled on most BMC implementations by default.

The following sample code and provides a simple daemon to implement the suggestion above.

/*
*****************************************************************
 * Copyright (c) 2005 Sun Microsystems, Inc. All Rights Reserved.
*
 * SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY
* OF THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT
* LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
* FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE
* LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING,
* MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES.
*
*****************************************************************
*/
/*=================================================================*/
/* Name: pb_623.c (Port blocker for port 623)                     */
/* Description: Simple UDP server code that listens on port 623   */
/*----------------------------------------------------------------*/
/* Changes:                                                       */
/*================================================================*/
/* INCLUDES-------------------------------------------------------*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h> /* close() */
#include <string.h> /* memset() */
#include <fcntl.h>
#include <syslog.h>
/* Global Definitions --------------------------------------------*/
#define LOCAL_SERVER_PORT 623
#define MAX_MSG 100
/*----------------------------------------------------------------*/
/* Function writelog: Writes errors and messages to logs.         */
/*----------------------------------------------------------------*/
void writelog(char errmsg[])
{
syslog(LOG_INFO, errmsg);
}
/*----------------------------------------------------------------*/
/* Function daemonize: Forks the process and turns it into a      */
/* daemon.                                                        */ /*----------------------------------------------------------------*/
int daemonize(void)
{
pid_t pid;
int fd;
/* if we are started from init no need to become daemon */
if (getppid() == 1)
{
writelog("Portblocker: Instance already running");
return;
}
pid = (pid_t) fork();
if (pid < 0 || pid > 0)
{
writelog("Portblocker: Unable to fork");
exit(0);
}
if (setpgrp() == -1)
{
writelog("Portblocker: Unable to set process group");
exit(1);
}
pid = (pid_t) fork();
if (pid < 0 || pid > 0)
{
writelog("Portblocker: Unable to fork");
exit(0);
}
chdir("/");
umask(0);
for (fd=0; fd<64; fd++)
close(fd);
open("/dev/null", O_RDWR);
dup(0);
dup(0);
return(pid);
}
/*----------------------------------------------------------------*/
/* Main: Opens UDP listener on port 623 and then loops. Uses      */
/* daemonize to fork as a daemon if not started at boot time.     */
/*----------------------------------------------------------------*/
int main(int argc, char *argv[])
{
int sd, rc, n, cliLen;
int pid;
struct sockaddr_in cliAddr, servAddr;
char msg[MAX_MSG];
pid = daemonize();
/* socket creation */
if ( (sd=socket(AF_INET, SOCK_DGRAM, 0)) <0 )
{
writelog("Portblocker: cannot open socket");
exit(1);
}
/* bind local server port */
servAddr.sin_family = AF_INET;
servAddr.sin_addr.s_addr = htonl(INADDR_ANY);
servAddr.sin_port = htons(LOCAL_SERVER_PORT);
if ( (rc = bind (sd, (struct sockaddr *)
&servAddr,sizeof(servAddr))) <0 )
{
writelog("Portblocker: cannot bind to port");
exit(1);
}
writelog("Portblocker: Started successfully");
/* loop - keep the port alive */
while(1)
{
/* init buffer */
memset(msg,0x0,MAX_MSG);
/* receive message */
cliLen = sizeof(cliAddr);
if ( (n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *)
&cliAddr, &cliLen)) <0 )
{
writelog("Portblocker: cannot receive data");
continue;
}
}/* end while loop */
return 0;
} /* end main */


Relief/Workaround




Product
Sun Fire V60x Compute Grid Rack System
Sun Fire V60x Server
Sun Fire V65x Server

Internal Comments
For internal Sun use only.


tyson.ainsworth@sun.com


francisco.delatorre@sun.com


BMC, Port 623, 623, conflict, V65, rpc, nis, 624, IPMI
Previously Published As
79519

Change History
Date: 2006-05-22
User Name: 97961
Action: Update Canceled
Comment: *** Restored Published Content *** - Audience changed to "Contract" per FvF
http://kmo.central/howto/FvF.html
Version: 0
Date: 2006-05-22
User Name: 97961
Action: Update Started
Comment: - Audience changed to "Contract" per FvF http://kmo.central/howto/FvF.html
Version: 0
Date: 2005-06-03
User Name: 25440
Action: Approved
Comment: Publishing.
Version: 6
Date: 2005-06-03
User Name: 25440
Action: Accept
Comment:
Version: 0
Product_uuid
6a386040-356d-11d7-989c-cd4a3a4ab304|Sun Fire V60x Compute Grid Rack System
03728cec-0ee3-11d7-9be8-dd41f651e0a3|Sun Fire V60x Server
079e9bbc-0ee3-11d7-8c50-f1061905b56f|Sun Fire V65x Server

Attachments
This solution has no attachment
  Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.
 Feedback