Skip to main content
  • EN

Given an application in NPA, which has both TCP and UDP ports as part of the app. definition, how does the Publisher App Reachability check work?

I have an application/server, which is in fact currently unreachable (due to a NAT issue in a firewall) from the defined publisher(s), which has both TCP and UDP ports as part of the app. definition in NPA.

This app is incorrectly marked as Green in the portal, but if I remove the UDP ports from the app. definition, the status correctly turns Red.

So, the questions is, if adding UDP ports to a private app. simply means, that the Publisher App Reachability check will automatically turn Green, as a UDP check makes no sense?

 

--Erik

 

 

 

 

As far as I can tell, no test happens at all when only UDP ports are defined in a private app. Taking a packet capture shows no traffic at all from the publisher to the app server until a TCP port is configured.

Hi ​@elawaetz 
 

Good day!!

Below is an explanation of how the Publisher checks connectivity for a private application:

  • When a private app is defined with a port range, the Publisher will only use the first port in the range to check availability.
    Example: If the port range is 70-90, the check will only be made on port 70. Even if the app is listening on port 80, it will be marked as unreachable because port 70 is the only one being tested. This is a known limitation.

  • If an app definition includes multiple ports and/or port ranges, the Publisher will consider the app reachable if any one of those ports is accessible.
    Example: If you define ports as 22, 70-90, and port 22 is reachable, the app will be marked as reachable.

  • The Publisher cannot check reachability for private apps defined using a wildcard domain (e.g., *.globex.io) or a CIDR block (e.g., 10.0.1.0/24).

  • Also, if a private app is defined with a list of TCP/UDP ports, only the first port is checked for connectivity, regardless of whether it's TCP or UDP.

You can find more details in the Private Application FAQ document.


 

Hi ​@saini, ​@notskope 

My application has three ports defined:

  • TCP 8200, 8206
  • UDP 8300

I ran a TCP dump this morning on one of the attached publishers, and it is evident that the publisher is trying to connect on both TCP ports in the application definition, and failing to do so due to the firewall rules in place, and as a consequence I only see SYN packets.

For obvious reason the publisher is unable to run any UDP checks.

If I leave out the UDP port from the app. definition, then the publisher declares the app. as unreachable.

If I add the UDP port, I still see the TCP SYN packets, but now the publisher declares the app. as reachable!

--Erik

 

Hi ​@saini, ​@notskope 

My application has three ports defined:

  • TCP 8200, 8206
  • UDP 8300

I ran a TCP dump this morning on one of the attached publishers, and it is evident that the publisher is trying to connect on both TCP ports in the application definition, and failing to do so due to the firewall rules in place, and as a consequence I only see SYN packets.

For obvious reason the publisher is unable to run any UDP checks.

If I leave out the UDP port from the app. definition, then the publisher declares the app. as unreachable.

If I add the UDP port, I still see the TCP SYN packets, but now the publisher declares the app. as reachable!

--Erik

 

I guess this really ends up becoming a Feature Request 🤔, as the correct way for the tenant to report this would be "undetermined", just like app. definitions with multiple hosts, perhaps with a similar hover over text saying "Can't check the reachability of an app with UDP ports".

Reply


Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settings