EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <20172018  2019  2020  2021  2022  2023  2024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <20172018  2019  2020  2021  2022  2023  2024 
<== Date ==> <== Thread ==>

Subject: Re: caget() from C++
From: Mark Rivers <[email protected]>
To: "Church, Eric D" <[email protected]>
Cc: "Mendez, Jennifer M" <[email protected]>, EPICS Tech Talk <[email protected]>
Date: Thu, 7 Dec 2017 03:17:27 +0000
> Now, the question is can you tell us how to set the firewall rule to allow the EPICS traffic, so that we may re-enable the firewall and have functional EPIC monitoring and control?


This tech-talk message has a recipe for iptables


http://www.aps.anl.gov/epics/tech-talk/2012/msg01449.php


However, I believe that only works for a single IOC on port 5064.


For multiple IOCs you need to consult this document:


https://wiki-ext.aps.anl.gov/epics/index.php/How_to_Make_Channel_Access_Reach_Multiple_Soft_IOCs_on_a_Linux_Host


Mark


________________________________
From: Mark Rivers
Sent: Wednesday, December 6, 2017 8:53 PM
To: Church, Eric D
Cc: Kasemir, Kay; Ralph Lange; EPICS Tech Talk; Mendez, Jennifer M
Subject: Re: caget() from C++

You do need to set EPICS_CA_AUTO_ADDR_LIST=NO to disable the multiple PV location warnings. If you don’t then it still uses all the default broadcast addresses, in addition to anything you specify with EPIC_CA_ADDR_LIST.

I don’t recall how to configure iptables for CA but I think Google or tech-talk search should find it.

Mark





Sent from my iPhone

> On Dec 6, 2017, at 8:42 PM, Church, Eric D <[email protected]> wrote:
>
> Hi, Mark, et al:
>
> Today, we discovered that our shutoff of the firewall via the GUI had not in fact had any effect, and “system iptables stop” does what we’d thought  we’d achieved all along.
>
> With the firewall off I can state that we now can do cainfo and camonitor against PVs on both of our IOCs. So, we’re happy about this; the css and archive-engine clients continue to all consistently allow reporting and monitoring too. We suddenly see your warnings that you mention below. All EPICS environment variables are unset. I quickly tried to set EPICS_CA_ADDR_LIST to my 130.20.x.y broadcast address, per your comment below, but that did not make the cainfo’s warnings disappear. I’ll try the 192.168.x.y broadcast address later. Maybe I need to set EPICS_CA_AUTO_ADDR=NO again. This is relatively unimportant at this point.
>
> Now, the question is can you tell us how to set the firewall rule to allow the EPICS traffic, so that we may re-enable the firewall and have functional EPIC monitoring and control?
>
> Thanks for all the help -- Eric
>
> On 12/5/17, 8:29 PM, "Mark Rivers" <[email protected]> wrote:
>
>    Hi Eric,
>
>
>    I should mention one thing.
>
>
>    If you have the following configuration:
>
>
>    - More than 1 network interface
>
>    - EPICS_CA_ADDR_LIST not set
>
>    - IOC running on the machine
>
>    - CA client (e.g. camonitor) on the same machine
>
>
>    then you should actually should receive warning messages each time your client connects to a PV.  The warning will be that there are duplicates of that PV because each PV appears to be located on each of the network interfaces.  The above configuration is actually what you have tried, but you were not seeing these warnings.
>
>
>    In order to avoid these warnings (once your current problem is solved) you need to tell the client to only search on one network interface by setting EPICS_CA_ADDR_LIST to the broadcast address of 1 (and only 1) network interface.
>
>
>    There is another solution in 3.15.4 and higher which is to configure the IOC with EPICS_CAS_INTF_ADDR_LIST rather than configuring the clients as above.
>
>
>    I would suggest that you should try this:
>
>
>    - Unset EPICS_CA_ADDR_LIST and EPICS_CA_AUTO_ADDR_LIST
>
>    - Make sure all firewalls are disabled.  I believe the firewall can block even local clients, though I am not sure about that.
>
>
>    I guess another obvious test under those conditions is to see if you can access the PVs from another machine.  You should be able to.  If you can, but still cannot access them from the local machine that will tell us something.
>
>
>    Mark
>
>
>
>
>    ________________________________
>    From: Church, Eric D <[email protected]>
>    Sent: Tuesday, December 5, 2017 9:33 PM
>    To: Mark Rivers; 'Kasemir, Kay'; Ralph Lange; EPICS Tech Talk
>    Cc: Mendez, Jennifer M
>    Subject: Re: caget() from C++
>
>    So, indeed, the warnings go away when I set EPICS_CA_AUTO_ADDR_LIST=NO. However, no matter if I use my eth0 or eth1 broadcast address, I can not use camonitor on either set of IOC’s PVs.
>
>    Along these lines, I tried to read Kay’s 2012 post (http://www.aps.anl.gov/epics/tech-talk/2012/msg02356.php), that motivated the following effort:
>    I tried firing up IOC1 with EPICS_CA_ADDR_LIST=eth0bcast:5065, EPICS_CA_ PORT=5065 and IOC2 with EPICS_CA_ADDR_LIST=eth0bcast:5066, EPICS_CA_ PORT=5066, and in the session where I run camonitor I say EPICS_CA_ADDR_LIST=” eth0bcast:5066”. I also tried it with eth0->eth1.
>
>    camonitor fails when I do this, and CSS and archive-engine do also. Only, it seems, if I set EPICS_CA_ADDR_LIST=localhost can I use camonitor, and only then on the PVs of the second IOC that I fire up.
>
>
>    What is so non-standard about my network on this everything-on-one-computer setup of mine? Does a firewall even matter in this case?
>
>    - Eric
>
>
>    On 12/5/17, 2:45 PM, "Mark Rivers" <[email protected]> wrote:
>
>        If you set the EPICS_CA_ADDR_LIST to the broadcast address then you must also set EPICS_CA_AUTO_ADDR_LIST=NO.  That is why you are getting these warnings, because these broadcast addresses were already being used because EPICS_CA_AUTO_ADDR_LIST was defaulting to YES.
>
>        Warning: Duplicate EPICS CA Address list entry "192.168.1.255:5064" discarded
>        Warning: Duplicate EPICS CA Address list entry "130.20.49.255:5064" discarded
>
>
>> -----Original Message-----
>> From: Church, Eric D [mailto:[email protected]]
>> Sent: Tuesday, December 05, 2017 4:06 PM
>> To: Mark Rivers; 'Kasemir, Kay'; Ralph Lange; EPICS Tech Talk
>> Cc: Mendez, Jennifer M
>> Subject: Re: caget() from C++
>>
>>
>> I attach a file showing my efforts at setting this variable in the xterm session in which I run
>> my caxyz commands and the record of my puzzling problems. Before trying to export these
>> values of EPICS_CA_ADDR_LIST, all was well. Whereas, after setting it, failingx2, if I
>> unset it I can not connect: I am not returning to successful camonitoring of just even one
>> IOC.
>>
>> Note: all the relevant-looking complaints from my 2nd IOC terminal in the attached file ….
>>
>> - Eric
>>
>>
>>
>>> On 12/5/17, 1:43 PM, "Mark Rivers" <[email protected]> wrote:
>>>
>>> Looks like the EPICS_CA_ADDR_LIST used by camonitor is not using the broadcast
>> address of your host.
>>
>>    It should be doing that automatically without you needing to set
>> EPICS_CA_ADDR_LIST.  Can you send the output of the following commands Linux
>> command in the shell where you are running camonitor.
>>
>>    ifconfig
>>    printenv | grep EPICS
>>
>>    At the IOC shell prompt on both the first and second IOCs send the output of
>>
>>    epicsPrtEnvParams
>>
>>
>>    What happens if you set EPICS_CA_ADDR_LIST manually to the broadcast address of
>> your system?  For example on my system ifconfig shows:
>>
>>    p5p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>>            inet 164.54.160.82  netmask 255.255.255.0  broadcast 164.54.160.255
>>            inet6 fe80::3efd:feff:fea3:f258  prefixlen 64  scopeid 0x20<link>
>>            ether 3c:fd:fe:a3:f2:58  txqueuelen 1000  (Ethernet)
>>            RX packets 80276465019  bytes 92598173910474 (84.2 TiB)
>>            RX errors 0  dropped 114  overruns 0  frame 0
>>            TX packets 32261858165  bytes 16671972218313 (15.1 TiB)
>>            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>>
>>    So I would set EPICS_CA_ADDR_LIST=164.54.160.255
>>
>>    Mark
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: Kasemir, Kay [mailto:[email protected]]
>>> Sent: Tuesday, December 05, 2017 3:37 PM
>>> To: Church, Eric D; Mark Rivers; Ralph Lange; EPICS Tech Talk
>>> Cc: Mendez, Jennifer M
>>> Subject: Re: caget() from C++
>>>
>>>> Indeed camonitor can properly watch a channel on the first IOC when only it is
>> running. I
>>> can dial up and down the voltage from CSS on a particular PV on this first IOC and
>> watch
>>> it move on camonitor. >When I start the second IOC I can continue this exercise on
>> POVs
>>> on the first IOC. If I kill camonitor, per your suggestion, I can not start it again on a PV
>> on
>>> the first IOC. And if I kill the second IOC I can >once again start camonitor
>> successfully on
>>> a PV on the first IOC.
>>>
>>>> What does it mean, do ya think?
>>>
>>> Looks like the EPICS_CA_ADDR_LIST used by camonitor is not using the broadcast
>>> address of your host.
>>
>>
>>
>
>
>
>
>

References:
caget() from C++ Church, Eric D
Re: caget() from C++ Andrew Johnson
Re: caget() from C++ Church, Eric D
Re: caget() from C++ Mark Rivers
Re: caget() from C++ Church, Eric D
RE: caget() from C++ Mark Rivers
Re: caget() from C++ Church, Eric D
RE: caget() from C++ Mark Rivers
Re: caget() from C++ Church, Eric D
Re: caget() from C++ Mark Rivers
Re: caget() from C++ Ralph Lange
Re: caget() from C++ Mark Rivers
Re: caget() from C++ Church, Eric D
Re: caget() from C++ Kasemir, Kay
RE: caget() from C++ Mark Rivers
Re: caget() from C++ Church, Eric D
RE: caget() from C++ Mark Rivers
Re: caget() from C++ Church, Eric D
Re: caget() from C++ Mark Rivers
Re: caget() from C++ Church, Eric D
Re: caget() from C++ Mark Rivers

Navigate by Date:
Prev: Re: caget() from C++ Mark Rivers
Next: Bug in sampleStartup.sh of archiverAppliance? Jörn Dreyer
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <20172018  2019  2020  2021  2022  2023  2024 
Navigate by Thread:
Prev: Re: caget() from C++ Mark Rivers
Next: EPICS base R3.15.5-1.0 special CONFIG and RULE files Luchini, Kristi L.
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <20172018  2019  2020  2021  2022  2023  2024 
ANJ, 21 Dec 2017 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·