Problems connecting Fastpath over DMZ

Brian_Davis · May 2, 2007, 4:31pm

Before I explain the problem I’'ll explain our setup-

Internal Server (Openfire Server) - “fedora1”

Fedora 1 Linux

OpenFire 3.3.0 (formerly Wildfire 3.2.0)

Fastpath 3.3.0

External Server (Webserver) - “webserv”

Windows 2003 Server

IIS 6.0

Apache Tomcat for running the Fastpath plugin

Okay… Initially we setup fastpath on our internal server, and everything worked fine. We opened up port 5222 on our firewall to allow the external server to see the internal wildfire (openfire) server. Since our webserver has no DNS servers specified (no need for them), I added the internal server’‘s address to the hosts file. Everything worked fine with this setup. We then had to renumber all of the network devices on our internal network, so the IP address of the internal server changed. We updated all of the firewall rules to still allow the connection, and I’‘ve updated the address in the hosts file on the external server, and flushed dns on the server. Now fastpath will no longer connect. You can still reach it internally, so I know that the plugin still functions properly, but when trying to connect from outside, no dice. Here’'s the results of the connection test-

Results:

XMPPError connecting to fedora1.crownprod.com:5222.: remote-server-error(502) XMPPError connecting to fedora1.crownprod.com:5222. – caused by: java.net.ConnectException: Connection timed out: connect at org.jivesoftware.smack.XMPPConnection.connectUsingConfiguration(XMPPConnection. java:806) at org.jivesoftware.smack.XMPPConnection.connect(XMPPConnection.java:1252) at org.apache.jsp.test_002dconnection_jsp._jspService(test_002dconnection_jsp.java :89) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:384) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFil terChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain .java:206) at com.jivesoftware.webchat.SetCharacterEncodingFilter.doFilter(SetCharacterEncodi ngFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFil terChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain .java:206) at com.jivesoftware.webchat.SetupFilter.doFilter(SetupFilter.java:91) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFil terChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain .java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java: 228) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java: 175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:10 9) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:216) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11P rotocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source) Nested Exception: java.net.ConnectException: Connection timed out: connect at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(Unknown Source) at java.net.PlainSocketImpl.connectToAddress(Unknown Source) at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at java.net.Socket.(Unknown Source) at java.net.Socket.(Unknown Source) at org.jivesoftware.smack.XMPPConnection.connectUsingConfiguration(XMPPConnection. java:791) at org.jivesoftware.smack.XMPPConnection.connect(XMPPConnection.java:1252) at org.apache.jsp.test_002dconnection_jsp._jspService(test_002dconnection_jsp.java :89) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:384) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFil terChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain .java:206) at com.jivesoftware.webchat.SetCharacterEncodingFilter.doFilter(SetCharacterEncodi ngFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFil terChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain .java:206) at com.jivesoftware.webchat.SetupFilter.doFilter(SetupFilter.java:91) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFil terChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain .java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java: 228) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java: 175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:10 9) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:216) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11P rotocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source)

However, if I remove the internal server’‘s address entry from the external server’'s hosts file, I get a different result…

Results:

Could not connect to fedora1.crownprod.com:5222.: remote-server-timeout(504) Could not connect to fedora1.crownprod.com:5222. – caused by: java.net.UnknownHostException: fedora1.crownprod.com at org.jivesoftware.smack.XMPPConnection.connectUsingConfiguration(XMPPConnection. java:799) at org.jivesoftware.smack.XMPPConnection.connect(XMPPConnection.java:1252) at org.apache.jsp.test_002dconnection_jsp._jspService(test_002dconnection_jsp.java :89) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:384) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFil terChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain .java:206) at com.jivesoftware.webchat.SetCharacterEncodingFilter.doFilter(SetCharacterEncodi ngFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFil terChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain .java:206) at com.jivesoftware.webchat.SetupFilter.doFilter(SetupFilter.java:91) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFil terChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain .java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java: 228) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java: 175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:10 9) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:216) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11P rotocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source) Nested Exception: java.net.UnknownHostException: fedora1.crownprod.com at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at java.net.Socket.(Unknown Source) at java.net.Socket.(Unknown Source) at org.jivesoftware.smack.XMPPConnection.connectUsingConfiguration(XMPPConnection. java:791) at org.jivesoftware.smack.XMPPConnection.connect(XMPPConnection.java:1252) at org.apache.jsp.test_002dconnection_jsp._jspService(test_002dconnection_jsp.java :89) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:384) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFil terChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain .java:206) at com.jivesoftware.webchat.SetCharacterEncodingFilter.doFilter(SetCharacterEncodi ngFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFil terChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain .java:206) at com.jivesoftware.webchat.SetupFilter.doFilter(SetupFilter.java:91) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFil terChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain .java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java: 228) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java: 175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:10 9) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:216) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11P rotocol.java:634) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:445) at java.lang.Thread.run(Unknown Source)

When I run a netstat during the connection test, I see the following entry-

TCP webserv:3679 fedora1.crownprod.com:5222 SYN_SENT

I’‘m out of ideas, I’‘ve updated to Openfire, restarted both servers, double and triple checked everything… I’'m lost. All we did was change an IP address and poof! no more connection… Any help would be greatly appreciated in getting this sorted.

Message was edited by: Serzoni

Nate_Putnam1 · May 2, 2007, 7:56pm

Serzoni,

I would check the following :

Can you telnet from webserv box to the fedora1 machine on port 5222?

In your exploded webchat there should be a chat-settings.xml file in the WEB-INF. I would verify that it is pointing to the correct machines hostname.

Cheers,

Nate

Brian_Davis · May 2, 2007, 10:43pm

All of my WEB-INF settings are correct (the hostname never changed), and I cannot telnet from the webserver to the internal server on port 5222.

Kevin_Williams · May 7, 2007, 9:43pm

The stack trace indicates that you are unable to connect.

The telnet rejection confirms that you cannot connect over port 5222. As you can connect internally, the service is up, so therefore your firewall is blocking the connection.

Brian_Davis · May 14, 2007, 1:08pm

Well, we’‘ve double checked all of the firewall configs and there’‘s nothing that should be blocking data between the two servers. We’‘ve looked over and over the logs, and it never shows the webserver even trying to connect to the openfire server, even with allowed and denied connections showing in the log. Any other communication between the webserver and any other source within our protected network shows up perfectly fine. I went ahead and reinstalled Tomcat hoping that something might have gotten fubar’'ed with the Apache config, but we still get nothing when we do a connection test.

http://www.crownprod.com:8080

Kevin_Williams · May 14, 2007, 3:48pm

Could you try adding another box to your DMZ so you can test everything both externally (you have already tested everything internally). Once you are done, you can re-point the appropriate server to the internal box.