HP Serviceguard Version A.11.17 Release Notes, March 2006 (revised)
Serviceguard Version A.11.17 Release Notes
Compatibility Information and Installation Requirements
Chapter 1 21
In addition, Serviceguard also uses dynamic ports (typically in the range
of 49152 - 65535) for some cluster services. If you have adjusted the
dynamic port range using kernel tunable parameters, alter your rules
accordingly.
Serviceguard also uses port 9/udp discard during network probing setup
when running configuration commands such as cmcheckconf or
cmapplyconf and cmquerycl. If it is disabled, the command will fail and
you will get an error message in syslog.
System Firewalls
When using a system firewall such as HP-UX IPFilter with
Serviceguard, specific communications must be allowed to ensure proper
cluster operation. Specific IPFilter rules required by Serviceguard are
documented in the HP-UX IPFilter Administration Guide, available from
http://www.docs.hp.com -> Internet and Security Solutions.
General guidelines for using a system firewall with Serviceguard are
listed below.
• To enable intra-cluster communications, each HEARTBEAT_IP
network on every node within the cluster must allow the following
communications in both directions with all other nodes in the cluster:
— tcp on port numbers 5300-5304, and 5408 - and allow only
packets with the SYN flag
— udp on port numbers 5300 and 5302
— tcp and udp on dynamic ports (typically 49152-65535)
• If your Serviceguard configuration uses a quorum server, all nodes
within the cluster must allow the following communication to the
quorum server IP address:
— tcp on port 1238 - and allow only packets with the SYN flag
Any node providing quorum service for another cluster must allow
the following communication from that cluster’s nodes:
— tcp on port 1238 - and allow only packets with the SYN flag
• Running the cmscancl command requires the "shell" port be open.