ONTAP Discussions

nfs mount denied while using vpn tunnel

yb
2,191 Views

I'm testing vpn access for our future remote workers. It's mostly done except I cannot mount to the storage.

 

I checked the packets and confirmed they can communicate each other. But lookup to the storage denied with NFS4ERR_ACCESS error.

 

I allowed access from IP range of vpn clients in ontap. I cannot guess another reason to be blocked.

 

Could I check the reason why an access didn't allowed in ontap by commands? Or some hints would be great.

 

Thanks in advance!

5 REPLIES 5

Ontapforrum
2,113 Views

Firewall : Is the Client allowed outbound traffic to TCP Port 2049 (NFSV4) ? It may be worth checking if this port is open.

yb
2,097 Views

Hello @Ontapforrum 

 

In this case the client is a mac. (I got a linux pc too, but unfortunately it just broke.)

 

I found it sends calls via port 61508, but ontap storage replies via 2049. I see they connects well, success to SETCLIENTID, SETCLIENTID_COFIRM call/reply. But lookup for the mount is denied.

 

Should I be able to send the message through port 2409?

Ontapforrum
2,093 Views

Mac, interesting. Could you try linux ?

 

I am wondering if the client OS is supported. Which NFSv4 version is it? 4.0/4.1/4.2?

 

It may be worth checking which NFS clients ONTAP supports, see the Interoperability Matrix:
https://mysupport.netapp.com/matrix

 

Also check this blog:
https://whyistheinternetbroken.wordpress.com/2021/04/14/macos-nfs-clients-with-ontap-tips-and-considerations/

 

yb
2,031 Views

We have successfully run mac nfs clients inside of the network. That's the reason I think this is related with vpn.

 

All of them uses nfs4.0 and krb5i for connection. And setup on my mac isn't different.

 

Unfortunately, ssd on my linux is broken. I will try soon.

Ontapforrum
2,022 Views

Ok. In that case, we can rule out 'mac' as an issue. Have you done pktt (packet) trace on the ONTAP side ?

 

Also, you could try the following command to check-access to particular client for test purpose:
vserver export-policy check-access command checks whether a specific client is allowed access to a specific export path.
https://docs.netapp.com/us-en/ontap-cli-93/vserver-export-policy-check-access.html#description

 

 

Public