Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-2149606.1
Update Date:2018-05-10
Keywords:
Solution Type  Problem Resolution Sure

Solution  2149606.1 :   Solaris ipfilter settings can block traffic between Host and Service Processor causing "prtdiag -v" to lose environmental data and picld to report "PICL snmpplugin: cannot fetch object value"  

Related Items 
    

  • SPARC T4-1
    •  
  • Solaris Operating System
    •  
  • Oracle SuperCluster T5-8 Hardware
    •  
  • SPARC T5-2
    •  
  • SPARC SuperCluster T4-4
    •  
  • SPARC T3-1
    •  
  • SPARC T7-1
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>SAND>Network>SN-SND: Sun Network Security
    •  




Provide solution to fix an issue caused by Solaris ipfilter settings blocking traffic on the Host to Service Processor interface (usbecm).

Applies to:

Solaris Operating System - Version 10 3/05 to 11.3 [Release 10.0 to 11.0]
SPARC T5-2 - Version All Versions to All Versions [Release All Releases]
SPARC T4-1 - Version All Versions to All Versions [Release All Releases]
SPARC T3-1 - Version All Versions to All Versions [Release All Releases]
SPARC T7-1 - Version All Versions to All Versions [Release All Releases]
Oracle Solaris on SPARC (64-bit)

Symptoms

Solaris Kernel IP Filter blocking traffic on the Host to Service Processor interface (usbecm) can cause the following errors / behavior:

  1. Many "PICL snmpplugin: cannot fetch object value" messages logged to /var/adm/messages:

    Jun 13 11:20:11 myhost picld[537]: [ID 162216 daemon.warning] PICL snmpplugin: cannot fetch object value (err=128, OID=<1.3.6.1.2.1.47.1.4.1>, row=0)
    Jun 13 11:20:11 myhost picld[537]: [ID 162216 daemon.warning] PICL snmpplugin: cannot fetch object value (err=128, OID=<1.3.6.1.2.1.47.1.1.1.1.2>, row=-1)


  2. "prtdiag -v" does not display environmental data

    # prtdiag -v

    System Configuration: Oracle Corporation sun4v SPARC T5-4
    Memory size: 1047552 Megabytes

    ================================ Virtual CPUs ================================

    ...

    /SYS/MB/SASHBA1 PCIE scsi-pciex1000,87 LSI /SYS/MB/SASHBA1 PCIE scsi-pciex1000,87
    /pci@4c0/pci@1/pci@0/pci@c/pci@0/pci@ /pci@4c0/pci@1/pci@0/pci@c/pci@0/

    -> no output after IO section

 

 

Cause

Solaris Kernel ipfilter (svc:/network/ipfilter:default) has been enabled with the following settings in /etc/ipf.conf (Solaris 10) or /etc/ipf/ipf.conf (Solaris 11):

block in log all
block out log all

As these settings block all communication by default, they cause ipfilter to block Host to Service Processor communication and picl daemon failing to retrieve data from the Service Processor.
 

Solution

To fix this issue, traffic between the Host and the Service Processor must be allowed in /etc/ipf.conf or /etc/ipf/ipf.conf.

  1. Determine which interface is the internal Host to Service Processor interface (usbecm) and the interface's IP Address.

    Solaris 10:

    # ifconfig -a

    usbecm0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 6
    inet 169.254.182.77 netmask ffffff00 broadcast 169.254.255.255

    Solaris 11:

    # dladm show-phys -Z

    LINK ZONE MEDIA   STATE SPEED DUPLEX DEVICE
    net8 global Ethernet up        10            full       usbecm2

    # ipadm

    NAME CLASS/TYPE STATE UNDER ADDR
    net8         ip                  ok             --      --
    net8/v4    static             ok             --      169.254.182.77/24

    In this example, the interface net8 (usbecm0 on Solaris 10) uses the default IP Address 169.254.182.77.


  2. Determine which IP Address is used by the Service Processor for the internal Service Processor to Host interface (/SP/network/interconnect).

    In ILOM CLI:

    -> /SP/network/interconnect

    /SP/network/interconnect

            Properties:       
            hostmanaged = true       
            type = USB Ethernet
            ipaddress = 169.254.182.76
            ipnetmask = 255.255.255.0
            spmacaddress = 02:21:28:51:42:16
            hostmacaddress = 02:21:28:5A:4B:17

    In this example, the /SP/network/interconnect interface uses the default IP Address 169.254.182.76.


  3. Add the following rules to /etc/ipf.conf or /etc/ipf/ipf.conf to allow traffic between Host and Service Processor:

    pass in on (Host Interface) from (IP Address of Service Processor interconnect) to (IP Address of Host Interface)
    pass out on (Host Interface) from (IP Address of Host Interface) to (IP Address of Service Processor interconnect)

    Example rules, per Solaris 11 / ILOM readouts from 2.:

    pass in on net8 from 169.254.182.76 to 169.254.182.77
    pass out on net8 from 169.254.182.77 to 169.254.182.76


  4. Restart ipfilter:

    # svcadm restart svc:/network/ipfilter:default


  5. Restart picld:

    # svcadm restart svc:/system/picl:default


  6. Wait 2-3 minutes to allow picld to collect data, then verify "prtdiag -v" reports environmental data.

    Check that no new "PICL snmpplugin: cannot fetch object value" messages are reported in /var/adm/messages


  7. If "prtdiag -v" still reports no environmental data and/or  "PICL snmpplugin: cannot fetch object value" messages are reported again in /var/adm/messages after implementing the above actions, please log a Service Request for further investigation.

 

 

For determining ipfilter settings, you can use command output /netinfo/ipfstat_-io.out in Explorer output as files /etc/ipf.conf (/etc/ipf/ipf.conf) are not collected by Explorer.

 


Attachments 
This solution has no attachment
  Copyright © 2018 Oracle, Inc.  All rights reserved.
 Feedback