NexentaStor - Access web console from different subnets

nexenta

9,114

Solution 1

9 times out of 10, this is not NexentaStor at all, except that the default port, 2000, is one claimed by Cisco. Login to the appliance using SSH as root, and type "setup appliance init" and then hit No to the first question then it asks for HTTP/HTTPS and the port to use - you can use HTTP or HTTPS, but change the port to something else, I use 7878. Then try again. This is typically a Cisco ASA or other firewall filtering port 2000 that causes this symptom.

Solution 2

I agree with those others who have suggested that it's likely the nexenta is ignoring requests from "offsite" addresses as some kind of half-arsed security feature. If the approaches others have suggested don't help, and nexenta can't tell you how to reconfigure the box to disable this feature, you might consider trying to "bounce" the connection off a local box (meaning one on the same subnet as the Nexenta) running sshd.

The details of ssh port forwarding are pretty widely-documented, but the upshot would be to make a connection from your desktop (client) to server (the box on the same network as nexenta) as follows:

client% ssh server -L 2000:nexenta:2000

then using a local web browser to visit

http://localhost:2000

(or https if that's what the nexenta speaks on port 2000).

9,114

ewwhite

Updated on September 17, 2022

Comments

ewwhite almost 2 years

I'm trying to access the NexentaStor web console via port 2000 from a different subnet than the system's main IP address. In my situation, this is either over a VPN or to access a remote Nexenta appliance over a private network. I can see the system via ping and telnet to port 2000, but the NMV interface does not work. Any ideas on how to accomplish this?
ewwhite over 13 years

I've posted a few messages on the various Nexenta boards. No good solution has surfaced. I know it's a software-level filtering/firewall rule, but don't understand how or where to change the setting.
ewindisch over 13 years

You could try (as root): svcadm disable network/ipfilter
ewwhite over 13 years

Browsing to: http://server.ip gives me the default "It works!" page, but going to the console at port 2000 doesn't work.
ewwhite over 13 years

I tried... No luck.
ewwhite over 13 years

This is a good suggestion, and I'd definitely recommend it for some people. In my case, I'm trying to deploy NexentaStor units to locations around the world, and wanted to make sure that some of the standalone units were accessible. That also means admins who may not be well versed in SSH tunneling. I've still yet to receive a response from Nexenta on this.
ewwhite over 13 years

I never got a real answer from Nexenta on this, so I'd stuck with ssh tunnels. For multiple devices, I'm varying the local port of the tunnel. I also have an option to manage multiple nexenta systems from one http console session. (the units link to each other via ssh keys)
ewwhite about 13 years

Wow. You hit it on the head! An nmap of my Nexenta Storage nodes shows 2000/tcp open callbook. So the IANA port number that Nexenta uses is already allocated. Changing the port does fix this issue, as I tend to have Cisco ASA firewalls installed in most places. Is there also a workaround on the Cisco side (fixup, etc?) in the event that I need to keep port 2000 on the Nexenta unit?
slashdot over 12 years

I just wanted to echo Andrew's point about Cisco ASA, and add that officially, port 2000 is reserved for Cisco's SCCP == en.wikipedia.org/wiki/Skinny_Client_Control_Protocol, and that it is used by other Cisco devices. In general I think it is a good idea to change the default port for the management interface. Changing the port is quite trivial via NMC (CLI management console). You will simply need to run setup appliance init and follow the prompts, adjusting port to one you desire when prompted for it.