ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

nfs mount denied while using vpn tunnel

yb
‎2023-04-23 08:49 AM
2,192 Views

I'm testing vpn access for our future remote workers. It's mostly done except I cannot mount to the storage.

 

I checked the packets and confirmed they can communicate each other. But lookup to the storage denied with NFS4ERR_ACCESS error.

 

I allowed access from IP range of vpn clients in ontap. I cannot guess another reason to be blocked.

 

Could I check the reason why an access didn't allowed in ontap by commands? Or some hints would be great.

 

Thanks in advance!

0 Kudos
5 REPLIES 5

Ontapforrum
‎2023-04-25 01:51 AM
2,114 Views

Firewall : Is the Client allowed outbound traffic to TCP Port 2049 (NFSV4) ? It may be worth checking if this port is open.

0 Kudos

yb
‎2023-04-25 07:26 AM
2,098 Views

Hello @Ontapforrum 

 

In this case the client is a mac. (I got a linux pc too, but unfortunately it just broke.)

 

I found it sends calls via port 61508, but ontap storage replies via 2049. I see they connects well, success to SETCLIENTID, SETCLIENTID_COFIRM call/reply. But lookup for the mount is denied.

 

Should I be able to send the message through port 2409?

0 Kudos

Ontapforrum
‎2023-04-25 08:35 AM
2,094 Views

Mac, interesting. Could you try linux ?

 

I am wondering if the client OS is supported. Which NFSv4 version is it? 4.0/4.1/4.2?

 

It may be worth checking which NFS clients ONTAP supports, see the Interoperability Matrix:
https://mysupport.netapp.com/matrix

 

Also check this blog:
https://whyistheinternetbroken.wordpress.com/2021/04/14/macos-nfs-clients-with-ontap-tips-and-considerations/

 

0 Kudos

yb
‎2023-05-01 07:44 AM
In response to Ontapforrum
2,032 Views

We have successfully run mac nfs clients inside of the network. That's the reason I think this is related with vpn.

 

All of them uses nfs4.0 and krb5i for connection. And setup on my mac isn't different.

 

Unfortunately, ssd on my linux is broken. I will try soon.

0 Kudos

Ontapforrum
‎2023-05-01 01:09 PM
2,023 Views

Ok. In that case, we can rule out 'mac' as an issue. Have you done pktt (packet) trace on the ONTAP side ?

 

Also, you could try the following command to check-access to particular client for test purpose:
vserver export-policy check-access command checks whether a specific client is allowed access to a specific export path.
https://docs.netapp.com/us-en/ontap-cli-93/vserver-export-policy-check-access.html#description

 

 

0 Kudos
Announcements
All Community Forums
Public