Escolar Documentos
Profissional Documentos
Cultura Documentos
STATUS CODE 58: Can't connect to client. Troubleshooting procedures for Status 58
errors.
Error
Status Code: 58
Solution
Overview:
A status 58 error can occur during connections to legacy processes; bpcd, bprd, bpdbm, bpjobd,
vmd, etc.
When troubleshooting status 58 errors to a NetBackup host, the first thing to test is to whether
or not you can access the client Host Properties for that host from the master
server. Connecting to get the host properties uses the same ports and daemon processes as a
backup or restore. If it works the client daemon processes are running and listening on the
destination host, the TCP ports are open between these two hosts, and the destination host can
resolve the IP of the master and recognizes it as a valid server.
If Host Properties works and a client backup is using a storage unit on the master server, it
should work without getting the status 58 error.
NB 6.x and newer servers can use the bptestbpcd command to verify connectivity to the
destination host, e.g.
If still getting status 58 errors, the problem may be with the hostname <--> IP name resolution
using either DNS or the host files.
To test name resolution, run the following command on the NB host that is initiating the
connection. Be sure to check all media servers that can contact a client:
the IP addresses assigned to the source host. On clients, these commands should be run for all
master and media server network interfaces that should be used to connect to the client.
If the forward or reverse name resolution is not correct and consistent, then correct the name
resolution configuration used by the host. NetBackup will operate most efficiently when name
resolution matches the NetBackup configuration so that hosts can be identified unambiguously
and consistently.
Note: If the name resolution is intermittently wrong, then check for a failover DNS server with an
incorrect forward or reverse lookup record. Also be aware, that the incorrect information
returned will be cached by NetBackup for up to an hour and may affect a subsequent job retry.
Check if you are able to "ping" the destination host IP address from the source host.
ping <destination_IP_address>
This should be possible unless ICMP traffic is not permitted on the network. If this fails, consult
with your Network Administrator and server System Administrator. If ICMP traffic is not blocked,
they can resolve the layer 3 or IP network connectivity issue. Also double check the IP address
and netmask assigned to the network interfaces (NICs), intended to be used for the connection,
to ensure they are configured correctly.
The bpclntcmd -pn command is very useful for checking name resolution and connectivity to
the master server. When executed, the command does the following.
1. Gets the first server listed in the local servers list and, knowing it is the master server, does a
forward lookup of that hostname using the local name services configuration. Then also
determine the TCP port number for the daemon process on the destination host; veritas_pbx
(default for NB 7.1+), vnetd (default for NB 6.0-7.0), bprd.
2. If successful you should see the message "expecting response from <first_server>".
3. If the connection to the master server is via PBX or vnetd, the inbound connection will be
transferred to bprd. Then bprd will perform two functions. It first does a reverse lookup of the
incoming source IP address, that is the first hostname displayed on the second line of the
command output. Then it checks if the resolved hostname is in the server list (current server). If
not, it queries the policy database to see if that hostname is used as a client in any policy
(current client). If not it then queries the image database to see if that hostname has backup
images (past client). If found, the matched client is the second hostname displayed on the
second line of the command output.
In this example the client is otto.veritas.com, the master server is hal.veritas.com, and 'otto'
appears as a client in a policy. Be aware that this type of configuration is discouraged because
the mixed use of short names and fully qualified domain names (FQDNs) for the same host may
cause some NetBackup operations to fail since a derived FQDN can safely shortened for
comparison to a configured shortname, but a derived shortname cannot be extended to a FQDN
safely.
bpclntcmd -pn
expecting response from server hal.veritas.com
otto.veritas.com otto 10.82.110.6 3412
Create a debug log directory on the source host and set verbose to 5. It should
show the hostname and service name resolution and the outbound connection to the
master server. The debug log is named bplist prior to NB 7.6, and bpclntcmd at NB
7.6 and above.
Create a bprd debug log on the master server and set verbose to 5. It should
show the incoming connection, the reverse IP address to hostname resolution, and the
check to determine if the resolved hostname is a known server or client.
Are Daemon Processes Running?
Inbound connections are normally made via a super daemon listener which listens on the behalf
of other processes. On NetBackup versions 7.0.1 (UNIX) or 7.1 (Windows) or newer, the
connections will be made via the pbx_exchange process and then transferred to the destination
process or processes. On NetBackup 6.0 - 7.0, the connection will be made via the inetd/xinetd
(UNIX) or bpinetd (Windows) daemon processes, which will then start vnetd, which will then
either start bpcd or transfer the connection to an already running NB server daemon processes.
The destination process will typically be vnetd & bpcd or bprd (but possibly bpdbm, bpjobd,
vmd, etc). At NB versions 7.0.1 (UNIX) and 7.1 (Windows) the bpcd and vnetd processes
become persistent daemons like bprd, bpdbm, etc.
Use the ps command (UNIX) or Task Manager (Windows) to confirm the expected daemon
processes are running on the destination host. Make a note of the process IDs (PIDs), on
Windows it may be necessary to add the Process ID column to the display.
Ensure the destination daemons are listening on the destination host; typically PBX, vnetd, and
bpcd on TCP ports 1556, 13724, and 13782 respectively. The '-o' options on Windows and '-p'
option on Linux will include the PID of the listening process. If present it should match the ones
noted above from the ps or taskmgr commands. If not, a third-party process is utilizing the
NetBackup ports. This is not an issue if the PBX or vnetd port is open and available.
On Windows hosts:
On UNIX hosts:
netstat -a -p | grep LISTEN
*.vnetd *.* 0 0 49152 0 LISTEN 7326/vnetd
*.1556 *.* 0 0 49152 0 LISTEN 1839/pbx_exchange
*.bpcd *.* 0 0 49152 0 LISTEN 2748/bpcd
...snip...
Note: Use the 'netstat -n' option to suppress service name resolution and display the TCP port
numbers instead.
Note: See the version specific NetBackup Port Usage Guide for the other daemons and
associated port numbers.
First, initiate a connection from the source host to the TCP port number of the destination
daemon on the destination host. E.g.
Then check the netstat -n -a output on both hosts immediately. If you wait more than a second
or two, the connection may be torn down before you can see it's status.
Ideally, the output on both hosts will show the connection as ESTABLISHED. But more likely,
the source host will show a connection in SYN Sent state. That means the TCP stack on the
source host sent a TCP SYN packet onto the network, but did not receive a reply.
Check the destination host. If it does not show the same connection, then either a firewall
blocked the inbound TCP SYN or the network delivered the packet to a different host. Use
the traceroute(UNIX) or tracert (Windows) commands from the source host to the
destination IP address to determine if the network route is correct.
If the destination host shows the connection, but in a SYN Received state, then a firewall
blocked the TCP SYN+ACK that was returned outbound by the destination host.
If the connection is not show in the netstat output from either host, then typically some
networking layer component rejected the connection and returned a TCP RESET. Use a TCP
packet capture (e.g. snoop, tcpdump, Wireshark) to capture first the outbound TCP SYN on the
source host, then the inbound TCP SYNC on the destination host, and then the outbound reply.
If the connection is not shown in the netstat output from the source host but is shown in a
TCP Time Wait state on the destination host, then the connection was briefly ESTABLISHED,
but the NetBackup daemon process closed the connection. See the debug log for that
processes for additional details.
Note: The netstat output may show an unexpected source IP address for the connection. If the
source IP address does not appear to be correct, especially if the two hosts are on the same
network, then make two checks. First, check to see if the NetBackup configuration on the
source host contains a setting that will override the default source binding;
i.e. REQUIRE_INTERFACE, REQUIRED_NETWORK, PREFERRED_NETWORK, or
CLUSTER_NAME without ANY_CLUSTER_INTERFACE=YES. Those setting forces outbound
TCP SYN requests to use the configured source IP address, which may differ from the source
host routing table and thereby conflict with firewall rules. Either remove/correct the NetBackup
configuration or extend the firewall configuration as appropriate. Second, in the absence of a
NB source binding, check if there is a static host route or static network route that causes the
OS to select the unexpected source IP.
Host-resident Firewalls
Typically, any conflicting firewalls are located within the network cloud. However, they can also
reside on the end-stations and cause problems.
For NB 6.x and earlier UNIX hosts, check the /etc/inetd.conf file to see if there are any TCP
wrappers present. This example shows a TCP wrapper (tcpd) running on the bpcd port.
On UNIX, check the hosts.allow and hosts.deny files, they are typically located in
the /etcdirectory.
For Linux hosts, check for any iptables configuration that is performing unexpected packet
filtering.
On Windows, temporarily disable any firewalls (Domain, Private, or Public) or security intrusion
packages that are installed. If connections are then possible, update the firewall configuration
with appropriate exceptions for the needed TCP ports.
If the Resilient Network feature, introduced in NetBackup 7.5, is configured for the destination
host, then all connections will use only the vnetd port which must be open bi-directional between
the NB servers and the client. PBX will not be used. Check for this configuration on the master
server. An empty value indicates that it is not configured.
<install_path>/netbackup/bin/admincmd/bpgetconfig RESILIENT_NETWORK
RESILIENT_NETWORK
For vnetd and bpcd connection problems, on destination hosts, confirm that the executable
binary file is not corrupt.
On the destination host, create the debug log directory for the process, set verbose to 5, and try
to start the daemon from the command line. Be sure the program executes with appropriate
administrative privileges. E.g.
<install path>/netbackup/bin/bpcd
For bpcd processes started from inetd/xinetd/bpinetd, that should generate the following debug
log entries and prove the binary can be executed.
16:47:45.986 [5296.3376] <2> bpcd main: offset to GMT 21600
16:47:45.986 [5296.3376] <2> bpcd main: Got socket for input 3
16:47:46.017 [5296.3376] <2> logconnections: getsockname(3) failed: 10038
16:47:46.017 [5296.3376] <16> bpcd setup_sockopts: setsockopt 1 failed: h_errno 10038
16:47:46.017 [5296.3376] <2> bpcd main: setup_sockopts complete
16:47:46.158 [5296.3376] <2> vauth_acceptor: ..\libvlibs\vauth_comm.c.332: Function failed: 17
0x00000011
16:47:46.158 [5296.3376] <16> bpcd main: authentication failed: 17
16:37:50.399 [32571] <2> setup_debug_log: switched debug log file for bpcd
16:37:50.399 [32571] <2> bpcd main: VERBOSE = 0
16:37:50.399 [32571] <2> logparams: /usr/openv/netbackup/bin/bpcd
16:37:50.408 [32571] <2> process_requests: offset to GMT 21600
16:37:50.480 [32571] <8> vnet_get_peer_sock_names: [vnet_nbrntd.c:263] getsockname()
failed 88 0x58
16:37:50.480 [32571] <8> get_peer_or_sock_name: [vnet_nbrntd.c:710]
vnet_get_peer_sock_names() failed 10 0xa
16:37:50.480 [32571] <2> logconnections: nb_getsockname(0) failed
16:37:50.480 [32571] <2> process_requests: setup_sockopts complete
16:37:50.481 [32571] <8> vnet_get_peer_sock_names: [vnet_nbrntd.c:263] getsockname()
failed 88 0x58
16:37:50.481 [32571] <8> get_peer_or_sock_name: [vnet_nbrntd.c:710]
vnet_get_peer_sock_names() failed 10 0xa
16:37:50.481 [32571] <16> bpcd peer_hostname: nb_getpeername: Socket operation on nonsocket
16:37:50.481 [32571] <16> process_requests: Couldn't get peer hostname
It is normal to have the PID end with an error as in the above examples, the program was
expecting to be passed an inbound connection, but was not.
If the daemon process appears to be listening, but not accepting connections from remote
hosts, then test a local connection on the destination host to itself. Typically first to PBX, then to
the specific port for the destination daemon. E.g.
That should generate a log entry as seen below showing the source host being recognized as a
valid NB server.
16:52:46.077 [1160.5436] <2> bpcd main: offset to GMT 21600
16:52:46.077 [1160.5436] <2> bpcd main: Got socket for input 400
... The client sees the incoming connection from source IP address 10.82.105.254 ...
16:52:46.077 [1160.5436] <2> logconnections: BPCD ACCEPT FROM 10.82.105.254.44554
TO 10.82.110.6.13782
16:52:46.077 [1160.5436] <2> bpcd main: setup_sockopts complete
... Performs a successful reverse lookup of the incoming IP address and gets the hostname ...
16:52:46.092 [1160.5436] <2> bpcd peer_hostname: Connection from host hal.veritas.com
(10.82.105.254) port 44554
... Then compares the resolved hostname to the server list ...
16:52:46.092 [1160.5436] <2> bpcd valid_server: comparing hal.veritas.com and
hal.veritas.com
... The hostname compare succeeds ...
16:52:46.092 [1160.5436] <4> bpcd valid_server: hostname comparison succeeded
16:52:49.476 [1160.5436] <16> bpcd main: read failed: The operation completed successfully.
If any of these telnet tests fails to generate a log entry then there is something outside of
NetBackup that is preventing access to the daemon. Most likely firewall software of some sort;
see the Firewall topics above for some possibilities.
Checking for Name Resolution Delays
When testing connections to bpcd and other daemons be sure to check the time difference delta
between the "logconnections: <process> ACCEPT FROM <source> TO <destination>" and the
next few log messages that normally would show any IP address or hostname resolution. If
there are any delays of more than a second or two, that may cause the connecting process on
the source host to timeout. The responsiveness of the name services should be improved or
appropriate host file entries created to prevent excessive latency.
By default, NetBackup versions 7.0.1 (UNIX) and 7.1 (Windows) or newer will try to connect to
legacy daemons using first the PBX port, then the vnetd port, and then finally the daemon
port. If PBX is not reachable there will be a 10 second delay on some operating systems
before vnetd is attempted. If vnetd is not reachable there will be a similar 10 second delay
before the daemon port is attempted. These delays can cause other timeouts to occur. See
TECH162303 for additional details.
without first trying to connect via the PBX port (post-7.0.1/7.1) or vnetd port (post-5.1), then
check to see if there are unexpected Connect Options configured. There are three places this
setting could be configured.
To check the client connect options from the command line, use the following command on the
master server. A zero (0) in the second field or a two (2) in the third field indicates that PBX and
vnetd are not being used.
223
Note: You DO NOT have to stop and restart when making changes to the client attribute.
If someone has configured a Server Connect Option for the destination host, it will override the
Client Connect Options. This will need to be checked, and potentially corrected, on each host
that connects to the destination host. Again, a value of zero (0) in the second field or a two
(2) in the third field will cause NetBackup to skip using PBX and vnetd.
<install_path>/netbackup/bin/admincmd/bpgetconfig CONNECT_OPTIONS
CONNECT_OPTIONS = dest_host 0 1 0
If neither server nor client connect options are configured, then check if default connect options
are configured. This will need to be checked, and potentially corrected, on each host that
connects to the destination host. Again, a value of zero (0) in the second field or a two (2) in the
third field will cause NetBackup to skip using PBX and vnetd.
<install_path>/netbackup/bin/admincmd/bpgetconfig DEFAULT_CONNECT_OPTIONS
DEFAULT_CONNECT_OPTIONS = 0 1 0