search cancel

Cluster communication ports 3307 and 13307 showing as filtered in port scan from new node to an existing cluster node

book

Article ID: 201031

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We wanted to use the port scan feature under Configuration > Tools to verify that no firewall rules are preventing a new node from being added to an existing cluster. When we run the scan for ports 443, 8443, 3007 and 13007, the first two show as OPEN, but the last two as FILTERED. Our network team tells us that there is no firewall blocking the communication and that the network packets do reach the PAM cluster node entered as target of the scan. Why do the ports show as FILTERED?

 

Environment

Release : 3.3+

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

PAM cluster nodes open the 3307 and 13307 ports selectively to other nodes currently in the cluster. Communication from any other IP, such as from a new node that is not part of the cluster yet, will not be responded to.

Resolution

This is working as expected. We don't want to expose these ports to any source that is not a cluster member. In this case the port scan is not helpful and you have to trust your network team that the network allows communication on those ports. If you see a problem when joining the new node to the cluster, feel free to raise a case with PAM Support.