Closed Bug 1181888 Opened 10 years ago Closed 10 years ago

Can't reach corpdmz.scl3 from MTV A/V VLAN

Categories

(Infrastructure & Operations Graveyard :: NetOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
NetOps: Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: richard, Assigned: dcurado)

Details

It's not possible to control the wowza streamin engings at: http://wowza1.corpdmz.scl3.mozilla.com:8088/enginemanager/ and http://wowza2.corpdmz.scle.mozilla.com:8088/enginemanager from the A/V vlan in MTV2 (e.g. from 10.252.55.160). This also needs to work from the voip vlan in offices where there is either no A/V vlan or there is A/V infrastructure machines still on the voip vlan.
Looks like what is needed is for the policy: dcurado@fw1.ops.mtv2.mozilla.net> show security policies from-zone corp to-zone vpn policy-name corpdmz-any detail | no-more node0: -------------------------------------------------------------------------- Policy: corpdmz-any, action-type: permit, State: enabled, Index: 329, Scope Policy: 0 Policy Type: Configured Sequence number: 5 From zone: corp, To zone: vpn Source addresses: voip-ww_10(global): 10.252.40.0/21 voip-ww_9(global): 10.251.40.0/21 voip-ww_8(global): 10.249.40.0/21 voip-ww_7(global): 10.248.40.0/21 voip-ww_6(global): 10.247.40.0/21 voip-ww_5(global): 10.246.40.0/21 voip-ww_4(global): 10.245.40.0/21 voip-ww_3(global): 10.244.40.0/21 voip-ww_2(global): 10.243.40.0/21 voip-ww_1(global): 10.242.40.0/21 voip-ww_0(global): 10.241.40.0/21 corp-ww_10(global): 10.252.24.0/21 corp-ww_9(global): 10.251.24.0/21 corp-ww_8(global): 10.249.24.0/21 corp-ww_7(global): 10.248.24.0/21 corp-ww_6(global): 10.247.24.0/21 corp-ww_5(global): 10.246.24.0/21 corp-ww_4(global): 10.245.24.0/21 corp-ww_3(global): 10.244.24.0/21 corp-ww_2(global): 10.243.24.0/21 corp-ww_1(global): 10.242.24.0/21 corp-ww_0(global): 10.241.24.0/21 corp-ww_18(global): 2a04:a40:1000:e0::/64 corp-ww_17(global): 2620:101:80fc:224::/64 corp-ww_16(global): 2620:101:80fb:224::/64 corp-ww_15(global): 2001:cb0:b202:224::/64 corp-ww_14(global): 2001:450:1f:224::/64 corp-ww_13(global): 2001:450:1e:224::/64 corp-ww_12(global): 2001:450:1d:224::/64 corp-ww_11(global): 2001:450:1c:224::/64 Destination addresses: corpdmz.scl3-net_0(global): 10.22.72.0/24 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No, SEQ check: No to include: address audio-video-ww_0 10.242.48.0/21; address audio-video-ww_1 10.243.48.0/21; address audio-video-ww_2 10.244.48.0/21; address audio-video-ww_3 10.245.48.0/21; address audio-video-ww_4 10.246.48.0/21; address audio-video-ww_5 10.247.48.0/21; address audio-video-ww_6 10.248.48.0/21; address audio-video-ww_7 10.249.48.0/21; address audio-video-ww_8 10.251.48.0/21; address audio-video-ww_9 10.252.48.0/21;
Assignee: network-operations → dcurado
Status: NEW → ASSIGNED
jbarnell, can you review/comment?
Flags: needinfo?(jbarnell)
That looks correct ... perhaps Michal wants to comment. This may be one of those cases were seeing more and more of where devices can't support OpenVPN clients.
Flags: needinfo?(jbarnell) → needinfo?(mpurzynski)
If we already allow communication from VOIP and Corp Vlans than AV is not a problem either.
Flags: needinfo?(mpurzynski)
OK, Thanks Michal. I'll work on this change now. Dave
This configuration change has been pushed out to all firewalls that are currently managed by Ansible, aka the standard office firewall configuration. This includes MTV2 AKL1 LON1 PAR1 TOR1 YVR1 The remainder of the office firewalls will be updated with this policy as the standard configuration is rolled out to each remaining office. Richard, can you please verify that you have the access you require from MTV2? Thank you.
Status: ASSIGNED → UNCONFIRMED
Ever confirmed: false
Flags: needinfo?(richard)
Dave, Yes, works fine from MTV. Thanks! I'll test from other offices as I visit them and reopen this if there's a problem.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(richard)
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.