Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Starting CSO 5.1.1 AMQP (RabbitMQ) port TCP '5672' is blocked

0

0

Article ID: KB36129 KB Last Updated: 31 Jul 2020Version: 1.0
Summary:

Starting with CSO 5.1, RabbitMQ message queuing service through 5672 TCP port (AMQP) is blocked due to access/security concern.

With the new configuration of the NGINX micro-service from 5.1.1, it does not implement 5672 service by default.

Symptoms:

User can no longer subscribe with third party systems to the CSO RMQ service via TCP 5672 port from CSO 5.1.1 version.

5672 TCP port is no longer exposed by CSO to the outside (through HAPROXY > NGINX now)

Cause:
Concerns:
  • RBAC for RMQ is not available 
  • RABBITMQ_NODE_PORT '5672' is an important connection port and any issues with it can affect message system of the server.

Usage:

  • CSO and NSC use a message bus scheme (RabbitMQ) to publish notifications about system events.​
  • Users can use a direct connection to CSO RabbitMQ service to subscribe to relevant topics in order to produce their own monitoring, supervision and data services.
Solution:

Enable 5672 TCP service via w.a

Take the following steps to list port 5672 in open state:

  1. ssh to your startup server (execute ./get_vm_details.sh to find the startup server ip):

    from the CSO host server

    root@startupserver1: ssh <startupserver​ IP>
  2. Change the dir to /opt/charts/nginx-ingress:

    ~# cd /opt/charts/nginx-ingress
  3. Edit the file values.yaml and add '5672' to "infra/rabbitmq-ha:5672":

    vi values.yaml → Add 5672

    Example:

    tcp: {7804: "regional/csp-device-init-conn:7804", 9090: "infra/swift-svc:9090", 2514: "central/csp-secmgt-jingest-syslog:8082", 2379: "infra/etcd-etcd:2379", 2216: "regional/csp-telemetry-converter:8082",9200: "infra/elasticsearch:9200", 5000: "infra/jkeystone:5000",35357:"infra/jkeystone:35357", 15672: "infra/rabbitmq-ha:15672",5672: "infra/rabbitmq-ha:5672",8529: "infra/arangodb-cluster-ea:8529",2181:"infra/zookeeper-zookeeper:2181",8060: "regional/csp-as-regional-phs:8083"}
    ---------

    Then save and exit the file values.yaml​

  4. Execute the following command:

    root@startupserver1:/opt/charts/nginx-ingress# helm upgrade nginx-ingress .       (Do not miss the .)
  5. Now, you should be able to see 5672 available for NGINX connection. Tto verify, run the following command:

    # kubectl get svc -n infra | grep nginx | grep 5672
     
    Example:
    -----
    nginx-ingress-controller          LoadBalancer   10.100.228.160   192.168.10.16   80:32086/TCP,443:31269/TCP,15672:31575/TCP,2181:32474/TCP,2216:31006/TCP,2379:32749/TCP,2514:32081/TCP,35357:30525/TCP,5000:31709/TCP,5672:30368/TCP,7804:31106/TCP,8060:30472/TCP,8529:32112/TCP,9090:32439/TCP,9200:32718/TCP   4d
    -----
  6. Add a NAT rule to forward the traffic to NGINX IP with port 5672. 

    a) Exit from startupserver 

    b) Change the dir to:

      # cd /root/Contrail_Service_Orchestration_5.1.1/ci_cd      (e.g. from 5.1.1 installation)

    c) Edit the setup_NAT_rule.sh

    ​# vi ​setup_NAT_rule.sh

     add a rule with 5672 below the line shown in e.g. 

    'iptables -t nat -A PREROUTING -d $IP_ADDRESS_MANAGEMENT_INTERFACE/32 -p tcp -m tcp --dport 5672 -j DNAT --to-destination $NGINX_IP:5672​'

    Example:

    iptables -t nat -A PREROUTING -d $IP_ADDRESS_MANAGEMENT_INTERFACE/32 -p tcp -m tcp --dport 15672 -j DNAT --to-destination $NGINX_IP:15672
    iptables -t nat -A PREROUTING -d $IP_ADDRESS_MANAGEMENT_INTERFACE/32 -p tcp -m tcp --dport 15672 -j DNAT --to-destination $NGINX_IP:15672

    d) Save and exit the file setup_NAT_rule.sh​

  7. Run the setup_NAT_rule.sh from the same dir. 

    ./setup_NAT_rule.sh

  8. Check the port status:

    Example:

    iptables -t nat -L | grep :5672
         target.      prot opt source.               destination
         DNAT       tcp  --  anywhere             <Host Server>  tcp dpt:amqp to:192.168.10.16:5672

Note: The above is used as a workaround purpose to access 5672 through NGINX.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search