Highlighted
ddouhine Absent Member.
Absent Member.
6680 views

Slow login

Hi there,

Trying to debug slow login issue...
Client: 4.91 SP4
Server: OES / eDir 8.7.3.10b FTF1 / ZDM 7

I think i've pointed the root: syn tcp/524 packets are sent by the clients to ip addresses that are unreachable.
These addresses are not hard coded in client config (registry) but sent by the server itself after the client ask for them (using Get Server Address request). These addresses exist but are not reachable by the clients.

Is it possible to:
* restrict the use of one single address on novell client (it seems that preferred address is not enough) ?
* restrict what the server send (i guess the ip addresses list is set in /etc/nds.conf) ?

Thanks !
Labels (1)
0 Likes
13 Replies
Marcel_Cox Absent Member.
Absent Member.

Re: Slow login

When you say OEs, do you mean OES/NetWare or OES/Linux? What exact version/SP level?
The wrong address handed out, was it ever assigned to this server? Or what does or did it belong to?
Did the problem always exist or did it only start after a ceratain change or update somewhere in your network?
Could you post a capture of a problematic login?
0 Likes
ddouhine Absent Member.
Absent Member.

Re: Slow login

Linux oes9 sp2
The "wrong" addresses belong to the server but can't be reach by these clients.

Sorry i can't post packet trace but here are a few details about it:
1. two connections are opened on the good address and the first login functions are done (Get File Server Information for the server, NDS Resolve Name for the username, etc...)
2. another connection is opened on the good address and same functions (Get File Server... and NDS Resolve Name) are done plus additional NMAS ones which do not finish though
3. at the same time a syn is sent to a "wrong" address
...obviously no reply comes
4. another syn is sent after a few seconds to the same "wrong" address
5. another one later
6. another syn is sent after a few seconds to another "wrong" address
etc... (9 to 18 syn are sent)
7. finally a syn is sent to the good address
8. classical functions (Get File Server... and NDS Resolve Name) are done but with one more: Monitor NDS Connection
9. right after that NMAS authentication finish using the third connection
10. then things run normally

The "Monitor NDS Connection" seems to be needed to finish the login as everything is hanged until it is done. So we lost around 90 seconds waiting for a good connection.

Is there a way to help the novell client to point to the good address ?
Or better... is there a way to tell the server which addresses to send ?
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Slow login

Try pre-populating the client bad name cache with those IP addresses.
Not sure if it would work, but it's a thought.
There is likely a better solution, but the 1st one that came to
mind.............


--
Craig Wilson - MCNE, MCSE, CCNA
Novell Support Forums Volunteer Sysop

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.

"ddouhine" <ddouhine@no-mx.forums.novell.com> wrote in message
news:ddouhine.3l8dbz@no-mx.forums.novell.com...
>
> Linux oes9 sp2
> The "wrong" addresses belong to the server but can't be reach by these
> clients.
>
> Sorry i can't post packet trace but here are a few details about it:
> 1. two connections are opened on the good address and the first login
> functions are done (-Get File Server Information- for the server, -NDS
> Resolve Name- for the username, etc...)
> 2. another connection is opened on the good address and same functions
> (-Get File Server-... and -NDS Resolve Name-) are done plus additional
> NMAS ones which do not finish though
> 3. at the same time a syn is sent to a "wrong" address
> ..obviously no reply comes
> 4. another syn is sent after a few seconds to the same "wrong" address
> 5. another one later
> 6. another syn is sent after a few seconds to another "wrong" address
> etc... (9 to 18 syn are sent)
> 7. finally a syn is sent to the good address
> 8. classical functions (-Get File Server-... and -NDS Resolve Name-)
> are done but with one more: -*Monitor NDS Connection*-
> 9. right after that NMAS authentication finish using the third
> connection
> 10. then things run normally
>
> The "Monitor NDS Connection" seems to be needed to finish the login as
> everything is hanged until it is done. So we lost around 90 seconds
> waiting for a good connection.
>
> Is there a way to help the novell client to point to the good address
> ?
> Or better... is there a way to tell the server which addresses to send
> ?
>
>
> --
> ddouhine
> ------------------------------------------------------------------------
> ddouhine's Profile: http://forums.novell.com/member.php?userid=9417
> View this thread: http://forums.novell.com/showthread.php?t=355382
>



0 Likes
Marcel_Cox Absent Member.
Absent Member.

Re: Slow login

ddouhine wrote:

>The "wrong" addresses belong to the server but can't be reach by these
>clients.


Well, that's bad. Your server should not use an IP addres for NDS if that
address is reachable by all clients. The best solution would be to only
bind NDS and NCP to an IP address that is reachable by all clients.
Short of that, the following workaround might work:

In the client configuration, under name resolution, make sure that "NDS"
is *not* selected for name resolution.

--
Marcel Cox
http://support.novell.com/forums
------------------------------------------------------------------------
Marcel Cox's Profile: http://forums.novell.com/member.php?userid=8
0 Likes
ddouhine Absent Member.
Absent Member.

Re: Slow login

seems to works, thx !
0 Likes
ddouhine Absent Member.
Absent Member.

Re: Slow login

Well, that's bad.

I know, that's why I asked how we could restrict to one IP.
Is the ip addresses list is (only ?) set in /etc/nds.conf ?
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Slow login

ddouhine <ddouhine@no-mx.forums.novell.com> wrote:

> 2. another connection is opened on the good address and same functions
> (-Get File Server-... and -NDS Resolve Name-) are done plus additional
> NMAS ones which do not finish though
> 3. at the same time a syn is sent to a "wrong" address
> ..obviously no reply comes
> 4. another syn is sent after a few seconds to the same "wrong" address
> 5. another one later
> 6. another syn is sent after a few seconds to another "wrong" address
> etc... (9 to 18 syn are sent)
> 7. finally a syn is sent to the good address
> 8. classical functions (-Get File Server-... and -NDS Resolve Name-)
> are done but with one more: -*Monitor NDS Connection*-


For what its worth, one thing that description reminds me of is older
NMAS client behavior. It used to be that the NMAS client would
literally read the replica ring of the partition in which the user
object existed & spin up a pool of threads to initiate NCP connections
to /all/ of the replica holders to determine which ones would respond
to an NMAS version query & which one had the best NMAS version to
connect to.

That's not the behavior I'm expecting from the NMAS client included in
4.91 SP4 though, so one question might be to confirm which version of
the NMAS client is actually installed (since you can upgrade the
Novell Client itself, but force or leave the older NMAS to remain
present). You might also search for whether the NMAS.DLL and
NMASNCP.DLL found on the machine actually match the versions you find
on a clean 4.91 SP4 installation w/NMAS, in case the individual
binaries somehow became back-revved.

It may be there is something more subtle happening that would be
apparent from looking directly at the LAN trace; this is simply what
comes to mind based upon the description.

Alan Adams
alancrumbadams@drcrumb.com
(for email, remove the crumbs)
0 Likes
ddouhine Absent Member.
Absent Member.

Re: Slow login

ddouhine;1708177 wrote:
seems to works, thx !

Sadly I was wrong, bad name cache doesn't work with IP addresses 😞
0 Likes
ddouhine Absent Member.
Absent Member.

Re: Slow login

Guys,

I'm still waiting a fix for this one.
Can someone tell me if it is possible to:
* restrict the use of one single address on novell client (it seems that preferred address is not enough) ?
* restrict what the server send (i guess the ip addresses list is set in /etc/nds.conf) ?

Thanks 🙂
0 Likes
ddouhine Absent Member.
Absent Member.

Re: Slow login

ddouhine;1724892 wrote:
Guys,

I'm still waiting a fix for this one.
Can someone tell me if it is possible to:
* restrict the use of one single address on novell client (it seems that preferred address is not enough) ?
* restrict what the server send (i guess the ip addresses list is set in /etc/nds.conf) ?

Thanks 🙂


Nobody knows ?
0 Likes
Marcel_Cox Absent Member.
Absent Member.

Re: Slow login

ddouhine wrote:

>I know, that's why I asked how we could restrict to one IP.
>Is the ip addresses list is (only ?) set in /etc/nds.conf ?


In the nds.conf file, you should add/change the line:

n4u.server.interfaces=<ip address>@524
Where <ip address> should be replaced by the address on which eDirectory
is supposed to listen. You can use the ndsconfig tool to change this
parameter. However verify the configuration of your various services to
make sure that no service accesses eDirectory through a different IP
address than what you specify.

Also, did you try my sugggestion about disabling the NDS name resolution
method?


--
Marcel Cox
http://support.novell.com/forums
------------------------------------------------------------------------
Marcel Cox's Profile: http://forums.novell.com/member.php?userid=8
0 Likes
ddouhine Absent Member.
Absent Member.

Re: Slow login

Marcel_Cox;1730302 wrote:
ddouhine wrote:

>I know, that's why I asked how we could restrict to one IP.
>Is the ip addresses list is (only ?) set in /etc/nds.conf ?


In the nds.conf file, you should add/change the line:

n4u.server.interfaces=<ip address>@524
Where <ip address> should be replaced by the address on which eDirectory
is supposed to listen. You can use the ndsconfig tool to change this
parameter. However verify the configuration of your various services to
make sure that no service accesses eDirectory through a different IP
address than what you specify.

Also, did you try my sugggestion about disabling the NDS name resolution
method?


--
Marcel Cox
Untitled Document
------------------------------------------------------------------------
Marcel Cox's Profile: NOVELL FORUMS - View Profile: Marcel_Cox


I can't find this property (NDS name resolution).
Which regkey is it or where can I find it in client properties ?

Thank you very much for you help.
0 Likes
Marcel_Cox Absent Member.
Absent Member.

Re: Slow login

ddouhine wrote:

>I can't find this property (NDS name resolution).
>Which regkey is it or where can I find it in client properties ?


You will find it in the client properties in the "PRotocol Preferences"
tab. When you select "IP" in the Protocl column and "Naming" int he
component column, you should get a list of "protocol component settings"
in the bottom window. This should include NDS.

--
Marcel Cox
http://support.novell.com/forums
------------------------------------------------------------------------
Marcel Cox's Profile: http://forums.novell.com/member.php?userid=8
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.