Problem
A replacement media server (a NetBackup 5220 appliance) was installed and now it appears to backup the clients over the production network instead of the backup network.
Error Message
Initially backups were failing with Status Code 46: server not allowed access.
mymm$ bptestbpcd -host myclient-bk
<16>bptestbpcd main: Function ConnectToBPCD(myclient-bk) failed: 46
server not allowed access
That problem was resolved by adding a server entry to the client for the production interface on the mediaserver.
SERVER = mymaster-bk
SERVER = mymm-bk
SERVER = mymm
Backups then began to work, but the bpbrm debug log shows the connection originating from the production network (10.0.101.0/24) on the media server enroute to the backup network (192.168.252.0/24) on the client.
<2> do_pbx_service: [...] via PBX bpcd CONNECT FROM 10.0.101.33.39719 TO 192.168.252.169.1556 fd = 4
<2> async_connect: [...] connect async CONNECT FROM 10.0.101.33.39719 TO 192.168.252.169.1556 fd = 4
<2> connect_to_service: connect succeeded STATUS (0) SUCCESS
status: FAILED, (18) CONNECT_FAILED; system: (22) Invalid argument; FROM 127.0.0.1 TO myclient-bk 192.168.252.169 ...
status: FAILED, (18) CONNECT_FAILED; system: (22) Invalid argument; FROM 127.0.0.2 TO myclient-bk 192.168.252.169 ...
status: SUCCESS; FROM 10.0.101.33 TO myclient-bk 192.168.252.169 bpcd VIA pbx
Notice also that the first two unsuccessful connection attempt were using loopback interfaces as the source interface.
Cause
The 5220 2.5 media server is choosing the first available interface that can connect to the remote client's backup network interface which happens to be the public network interface.
$ bptestnetconn -v6 -f -p -H myclient-bk
...snip...
FL: myclient-bk -> 192.168.252.169 : 3 ms FAST (< 5 sec) SRC: 127.0.0.1,127.0.0.2,10.0.101.33,192.168.252.9
...snip...
[0] PREFERRED_NETWORK = 192.168.0.23 PROHIBITED
Normally, the SRC should be 'ANY'. The reason it is not is because there is another PREFERRED_NETWORK entry which is prohibiting the use of a third interface on the 5220 that is used strictly for management. Because that interface is prohibited from use, the NetBackup server processes are providing the list of remaining interface to the operating system which is then using each in turn as the source interface until a connection is established.
The original media server did not have any interfaces that NetBackup could not use and did not have any Preferred Network configuration, hence the reason this behavior was not previously observed.
Solution
The source IP for the connections to the clients on the backup network was initially corrected by adding a second Preferred Network setting to the configuration on the media server. This setting causes NetBackup to present only the specified interface (102.168.252.9) to the operating system when connecting to hosts on the backup network, instead of the non-prohibited list.
PREFERRED_NETWORK = 192.168.0.23 PROHIBITED
PREFERRED_NETWORK = 192.168.252.0/24 MATCH 192.168.252.9
$ bptestbpcd -host myclient-bk
1 1 1
192.168.252.9:60205 -> 192.168.252.169:1556
192.168.252.9:49219 -> 192.168.252.169:1556
But that means that the non-prohibited list will still be used as the SRC when connecting to hosts which are on the production network. A better goal is to allow the operating system to use ANY when connecting to hosts on the public and backup network and instead minimize the need for NetBackup to use the management network to perform backups.
1) Remove the existing Preferred Network setting that prohibits the use of local interfaces.
2) Ensure that network routing via the 192.168.0.23 interface is not need to reach any of the clients to be backed up. Do this by configuring NetBackup with the client hostnames that are routable via the backup or production networks.
3) If there are hosts on the 192.168.0.0/24 network that do not have other network interfaces and that need to be backed up by the 5220, ensure that the 192.168.0 interfaces on those hosts are network routable from the backup or production networks.
4) Add this setting to the 5220 so that backup traffic from the hosts on that one network are returned to the backup interface on the 5220 instead of the management interface. Use the 10.0.101.33 interface instead if it is the only one routable.
PREFERRED_NETWORK = 192.168.0.0/24 MATCH 192.168.252.9
See the Related Articles for additional details about Preferred Network, the loopback address in the SRC list, and the weakhost model.
Applies To
Replaced
a non-appliance NetBackup 7.5 Media Server
With
a new appliance media server 5220 v2.5
eth1 is the public network interface, IP address 10.0.101.33
eth2 is the backup network interface IP address 192.168.252.9
NetBackup 7.5 Solaris client:
bge0 is the public network interface
bge1 is the backup network interface, IP address 192.168.252.169
The original non-appliance media server could backup the client over the backup network successfully without modifying the server list.
Forward and reverse name resolution lookup of myclient-bk is successful on the 5220.
Forward and reverse name resolution lookup of mymm-bk is successful on the client.
Neither REQUIRED_INTERFACE nor REQUIRED_NETWORK is configured on the 5220 or the client.
Related Knowledge Base Articles
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.