https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443693#M42093 <P>Firewall : Is the Client allowed outbound traffic to TCP Port 2049 (NFSV4) ? It may be worth checking if this port is open.</P> Tue, 25 Apr 2023 08:51:29 GMT Ontapforrum 2023-04-25T08:51:29Z https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443650#M42077 <P>I'm testing vpn access for our future remote workers. It's mostly done except I cannot mount to the storage.</P><P>&nbsp;</P><P>I checked the packets and confirmed they can communicate each other. But lookup to the storage denied with NFS4ERR_ACCESS error.</P><P>&nbsp;</P><P>I allowed access from IP range of vpn clients in ontap. I cannot guess another reason to be blocked.</P><P>&nbsp;</P><P>Could I check the reason why an access didn't allowed in ontap by commands? Or some hints would be great.</P><P>&nbsp;</P><P>Thanks in advance!</P> Wed, 04 Jun 2025 09:50:23 GMT https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443650#M42077 yb 2025-06-04T09:50:23Z https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443693#M42093 <P>Firewall : Is the Client allowed outbound traffic to TCP Port 2049 (NFSV4) ? It may be worth checking if this port is open.</P> Tue, 25 Apr 2023 08:51:29 GMT https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443693#M42093 Ontapforrum 2023-04-25T08:51:29Z https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443706#M42096 <P>Hello <a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/73493">@Ontapforrum</a>&nbsp;</P><P>&nbsp;</P><P>In this case the client is a mac. (I got a linux pc too, but unfortunately it just broke.)</P><P>&nbsp;</P><P>I found it sends calls via port 61508, but ontap storage replies via 2049. I see they connects well, success to SETCLIENTID, SETCLIENTID_COFIRM call/reply. But lookup for the mount is denied.</P><P>&nbsp;</P><P>Should I be able to send the message through port 2409?</P> Tue, 25 Apr 2023 14:27:13 GMT https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443706#M42096 yb 2023-04-25T14:27:13Z https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443712#M42098 <P>Mac, interesting. Could you try linux ?</P><P>&nbsp;</P><P>I am wondering if the client OS is supported. Which NFSv4 version is it? 4.0/4.1/4.2?</P><P>&nbsp;</P><P>It may be worth checking which NFS clients ONTAP supports, see the Interoperability Matrix:<BR /><A href="https://mysupport.netapp.com/matrix" target="_blank">https://mysupport.netapp.com/matrix</A></P><P>&nbsp;</P><P>Also check this blog:<BR /><A href="https://whyistheinternetbroken.wordpress.com/2021/04/14/macos-nfs-clients-with-ontap-tips-and-considerations/" target="_blank">https://whyistheinternetbroken.wordpress.com/2021/04/14/macos-nfs-clients-with-ontap-tips-and-considerations/</A></P><P>&nbsp;</P> Tue, 25 Apr 2023 15:35:42 GMT https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443712#M42098 Ontapforrum 2023-04-25T15:35:42Z https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443922#M42133 <P>We have successfully run mac nfs clients inside of the network. That's the reason I think this is related with vpn.</P><P>&nbsp;</P><P>All of them uses nfs4.0 and krb5i for connection. And setup on my mac isn't different.</P><P>&nbsp;</P><P>Unfortunately, ssd on my linux is broken. I will try soon.</P> Mon, 01 May 2023 14:44:21 GMT https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443922#M42133 yb 2023-05-01T14:44:21Z https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443928#M42134 <P>Ok. In that case, we can rule out 'mac' as an issue. Have you done pktt (packet) trace on the ONTAP side ?</P><P>&nbsp;</P><P>Also, you could try the following command to check-access to particular client for test purpose:<BR />vserver export-policy check-access command checks whether a specific client is allowed access to a specific export path.<BR /><A href="https://docs.netapp.com/us-en/ontap-cli-93/vserver-export-policy-check-access.html#description" target="_blank">https://docs.netapp.com/us-en/ontap-cli-93/vserver-export-policy-check-access.html#description</A></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 01 May 2023 20:09:14 GMT https://community.netapp.com/t5/ONTAP-Discussions/nfs-mount-denied-while-using-vpn-tunnel/m-p/443928#M42134 Ontapforrum 2023-05-01T20:09:14Z