RE: PVA connection problem [SEC=UNOFFICIAL]

["STARRITT, Andrew via Tech-talk" <tech-talk at aps.anl.gov>]

Hi all,

What was the final solution here?

I tried on one of our Control Room OPI hosts.
With the client side firewall off, everything worked as expected.
With client side firewall on, I had no access, even with using pvxs.

The host running the IOC is hosting only one IOC; and its firewall is on.

The client host is running  CentOS Stream 8, and the firewall rules,
pvget and pvxget info is show below.


[host]# firewall-cmd  --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s31f6
  sources:
  services: cockpit dhcpv6-client rdp ssh vnc-server zabbix-agent
  ports: 5064/udp 5064/tcp 5065/udp 5065/tcp 5075/udp 5075/tcp 5076/udp 5076/tcp
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports: 5064/udp 5064/tcp 5065/udp 5065/tcp 5075/udp 5075/tcp 5076/udp 5076/tcp
  icmp-blocks:
  rich rules:

[host]$ pvget -V
pvAccess 7.1.6
pvData 8.0.5
Base 7.0.7

[host]$ pvxget -V
PVXS 1.2.3 (2023-10-03T03:18+1100)
EPICS 7.0.7
libevent 2.1.8-stable


Regards
Andrew

PS A throw away question, maybe worthy of its own thread. Why is there no pvaRepeater?

UNOFFICIAL

-----Original Message-----
From: Tech-talk <tech-talk-bounces at aps.anl.gov> On Behalf Of Michael Davidsaver via Tech-talk
Sent: Friday, 15 September 2023 10:11 PM
To: Jure Varlec <jure.varlec at cosylab.com>
Cc: tech-talk at aps.anl.gov
Subject: Re: PVA connection problem

CAUTION, EXTERNAL EMAIL: This message has come from outside of ANSTO. Do not take action, click links or open attachments unless you trust the source of this message and know the content is safe. Report spam and phishing using the Report Message button or if unsure, forward this message to servicedesk at ansto.gov.au as an attachment.


On 9/15/23 11:20, Jure Varlec via Tech-talk wrote:
> On 9/15/23 09:24, Ralph Lange via Tech-talk wrote:
>>
>> Sorry for asking the obvious:
>> Have you tried adding the PVA ports 5075/5076 in the same way as the CA ports 5064/5065?
>>
>> Cheers,
>> ~Ralph
>
> But note that, depending on the firewall's connection tracking, just adding these ports may not be sufficient to talk to IOCs because of an issue in pvAccessCPP. Ask me how I know ...
>
> https://gith/
> ub.com%2Fepics-base%2FpvAccessCPP%2Fissues%2F159&data=05%7C01%7Candrew
> s%40ansto.gov.au%7C6b7f50e0c54a4d58b23708dbb5e4d08c%7C4cbf9a84567a44d0
> 9db11dbfbf8393f0%7C0%7C0%7C638303766597515999%7CUnknown%7CTWFpbGZsb3d8
> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3
> 000%7C%7C%7C&sdata=IXAsxtcFRhq72oi1UJaNzUhymPBgRrMV5LQWKxpPQX8%3D&rese
> rved=0

Thank you for giving me an opportunity to mention that PVXS address both issues :)

Concerning #159 , a PVXS server search replies will come from the search port (5076/udp by default), so a stateful firewall can more easily associate search request with reply.

Also, PVXS servers use EPICS_PVAS_SERVER_PORT to choose a fixed TCP port other than 5075, which can help in situations with a firewall and more than one IOC.

https://mdavidsaver.github.io/pvxs/