Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
3658 views

Network Address Restriction issues ..

Hi... we are attempting to lock down our 200 users with the NAR (Network Address Restriction) functionality on NWclient 4.91 sp4 and sp2. Our network still runs IPX for 1 legacy app, but all stations also run IP & we are a Nw6 Sp5 house.
Since starting the project, I have had a few users that have had issues locking down the IP address. When the station is rebooted, the client states that the user is not permitted to login to this workstation.
I have verified the stations IP address and even re-installed the client, but the issues continue...
Could it be I need to run a specific DSRepair on a server to fix the issue ?
We run DSRepairs each weekend, but almost always get 0 errors

Also, and this is the kicker ... last weekend we had a power failure, that dropped our 2 * 48 port switches (Netgear GS748t).
When almost all of our staff tried to re-login to the network, they all got NAR errors related to incorrect Username to IP restrictions.
We had to de-associate all affected users so they could login again ...
My boss is now looking at me to fix the issue, and I am lost on were to seek help, without calling Novell directly ..

Due to the fact that these workstations have both IPX & IP on them, is there a need for me to include an IPX lock down?? I am sure that 1 NAR should be enough to limit a users access to the station ...

Any help would be great ..

Sincerely

Paul Jamieson
Toronto, Canada
Labels (1)
0 Likes
6 Replies
Marcel_Cox Absent Member.
Absent Member.

Re: Network Address Restriction issues ..

Sounds like you have both IPX and IP protocol installed, but you only have an address restriction on one of the 2 protocols. If you put an address restriction for one protocol, that automatically means that the other protocol is not permitted unless you also add a restriction for the other one. In your case tha means that if you ahve an IP address restriction and your workstation tries to do the login with IPX, then the login will fail. The solution is to either configure your network that the workstations always reliably use the same protocol to login or better even, include an IP and an IPX address restriction.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Network Address Restriction issues ..

Marcel_Cox;1550912 wrote:
Sounds like you have both IPX and IP protocol installed, but you only have an address restriction on one of the 2 protocols. If you put an address restriction for one protocol, that automatically means that the other protocol is not permitted unless you also add a restriction for the other one. In your case tha means that if you ahve an IP address restriction and your workstation tries to do the login with IPX, then the login will fail. The solution is to either configure your network that the workstations always reliably use the same protocol to login or better even, include an IP and an IPX address restriction.


Marcel, I think that we are also experiencing SLP issues. We have 4 NW6 Sp5 servers in our tree, with 1 DA.
When I look at how a station with IPX & IP are connected (Red N -> Network Connections) the primary server is connected with IPX while the other 1 or 2 connection servers are connected with IP.
The stations (Red N -> Client Properties -> Protocol Preferences) specify IP as the preferred protocol and IPX as the secondary.
In the client there is no Specific Primary Server set anywhere, so the client should walk the tree to select an authentication server (and or use SLP)
Each client has a scope name specified along with the with the DA server IP address.
Question is ... why do the stations login with IPX (Primary server) and not IP the preferred protocol ?
And is this the reason we may be experiencing the Network Address Restriction issues ??
Yes we are running IPX and IP (IPX - due to a legacy app).
1 last thing ... do you know of a way that I can test to see if SLP is running correctly ?? I have looked at slpinfo /all , but that does not really tell me anything ... is there something I should be looking for in the output ??
Sorry, I am from the NW4.11 days and have not had a lot of SLP training.

Thx again

Paul Jamieson
Toronto, Canada
0 Likes
Marcel_Cox Absent Member.
Absent Member.

Re: Network Address Restriction issues ..

pjamies wrote:

>Question is ... why do the stations login with IPX (Primary server) and
>not IP the preferred protocol ?


Well, you gave the reason yourself. You have name resolution issues for IP
(e.g. SLP issues) and if name resolution for IP fails, then the client
switches to IPX instead.

>And is this the reason we may be experiencing the Network Address
>Restriction issues ??


Yes.


>Yes we are running IPX and IP (IPX - due to a legacy app).
>1 last thing ... do you know of a way that I can test to see if SLP is
>running correctly ?? I have looked at slpinfo /all , but that does not
>really tell me anything ... is there something I should be looking for
>in the output ??



If you have a DA, the most important debugging option is:

slpinfo /d

This will give you a list of all DAs known by the client, the way the DAs
were discovered and their current connectivity status.

--
Marcel Cox
http://support.novell.com/forums
------------------------------------------------------------------------
Marcel Cox's Profile: http://forums.novell.com/member.php?userid=8
0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: Network Address Restriction issues ..

Marcel_Cox;1551193 wrote:
pjamies wrote:

>Question is ... why do the stations login with IPX (Primary server) and
>not IP the preferred protocol ?


Well, you gave the reason yourself. You have name resolution issues for IP
(e.g. SLP issues) and if name resolution for IP fails, then the client
switches to IPX instead.

>And is this the reason we may be experiencing the Network Address
>Restriction issues ??


Yes.


>Yes we are running IPX and IP (IPX - due to a legacy app).
>1 last thing ... do you know of a way that I can test to see if SLP is
>running correctly ?? I have looked at slpinfo /all , but that does not
>really tell me anything ... is there something I should be looking for
>in the output ??



If you have a DA, the most important debugging option is:

slpinfo /d

This will give you a list of all DAs known by the client, the way the DAs
were discovered and their current connectivity status.

--
Marcel Cox
Untitled Document
------------------------------------------------------------------------
Marcel Cox's Profile: NOVELL FORUMS - View Profile: Marcel_Cox

------------------------------------------------------------------------

Hey, thx for the quick reply ..

Ok, I have been to 2 workstations so far to look at what is going on ... both of them have IPX & IP protocols and they are both authenticating with IPX, even though there preferred protocol is IP.
I ran SLPINFO /D on both stations and they both cannot seem to see the scope, even though it is listed in the NWClient's Service Location.
Here is a list of what the stations see with slpinfo /d

C:\>slpinfo /d


*****************************************************
*** Novell Client for Windows NT ***
*** Service Location Diagnostics ***
*****************************************************

SLP Version: 4.91.3.0
SLP Start Time: 8:50:03am 5/5/2008
Last I/O: 4:57:58pm 5/5/2008
Total Packets: Out: 1317 In: 37
Total Bytes: Out: 66190 In: 740


DA IP Address Source(s) State Version Local Interface Scope(s)
--------------- --------- ----- ------- --------------- ------------
192.168.1.2 CNFG NORSP ? 192.168.1.193 <unknown>



As you can see ... the workstation sees the DA server (192.168.1.2) but the scope is <unknown>

I have tested our 4 NW6 servers and only 1 of them shows inactive ...

This is the DA server (GCL_FS1 - IP=192.168.1.2)

GCL_FS1:display slpda

SLP LOOPBACK : v2 : ACTIVE : scope : IANA : 8 : 0ms
192.169.1.1 : v? : INACTIVE : 'UNKNOWN SCOPE' : STATIC : 0 : 5ms

Total Active: 1 Total Inactive: 1


The Second DA (192.168.1.1) is on another tree ... not sure what it is doing here ...

Here is another server and it's display ...

GCL_FS2:display slpda

192.168.1.2 : v2 : ACTIVE : SCOPE : STATIC : 9 : 0ms

Total Active: 1 Total Inactive: 0


Only 1 of the 4 servers does not have SLP loaded (NW6.5 OES)

Not sure why this 1st server says the scope name is : IANA ??

Is there a way that you can quickly show me how this should be setup ??

Here are our server names

Tree Name = GCL_TREE
GCL_FS1 NW6 Sp5 192.168.1.2 This is the DA
GCL_FS2 NW6 Sp5 192.168.1.
GCLBACKUP NW6 SP5 192.168.1.
GCLFS6 NW6.5 OES 192.168.1.

We also Have another tree across a VPN
Tree Name = GGL_TREE
GGC_FS1 NW6 Sp5 192.169.1.1

I have also included a screen print of a users 'Novell Connections' screen
for your browsing ... I was always under the impression that the server with the * beside it was the server that the user authenticated to .... this being (in the picture) using IPX as the protocol type.
Is this correct ??

Anyways ... if you could help out that would be great !!

Sincerely,

Paul Jamieson
Toronto, Ontario
0 Likes
Marcel_Cox Absent Member.
Absent Member.

Re: Network Address Restriction issues ..

pjamies wrote:

>DA IP ADDRESS SOURCE(S) STATE VERSION LOCAL INTERFACE
>SCOPE(S)
>--------------- --------- ----- ------- ---------------
>------------
>192.168.1.2 CNFG NORSP ? 192.168.1.193
><UNKNOWN>
>
>
>As you can see ... the workstation sees the DA server (192.168.1.2) but
>the scope is <unknown>



Actually, it's quite the opposite. While the workstation knows the IP
address of what is supposed to be the DA, it is unable to talk to the DA.
The state is NORSP, meaning "No Response". The scope is unknown simply
because of this lack of response.
Given your servers seem to be able to talk to the DA, I suggest you check
if you don't have any kind of firewall that blocks the SLP traffic which
is on TCP and UPD port 427.

--
Marcel Cox
http://support.novell.com/forums
------------------------------------------------------------------------
Marcel Cox's Profile: http://forums.novell.com/member.php?userid=8
0 Likes
Marcel_Cox Absent Member.
Absent Member.

Re: Network Address Restriction issues ..

pjamies wrote:

>Not sure why this 1st server says the scope name is : IANA ??


IT doesn't. IT says the scope name is "SCOPE" and the configuration type
is IANA which somehow means that the DA is running on the same machine.
For other servers, the corresponding field reports "STATIC".

--
Marcel Cox
http://support.novell.com/forums
------------------------------------------------------------------------
Marcel Cox's Profile: http://forums.novell.com/member.php?userid=8
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.