Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it normal for an indexer cluster master to connect to peers on odd ports?

tkw03
Communicator
‎03-01-2019 06:30 AM

I was troubleshooting why peers show as "Pending" often in the cluster master web UI. In troubleshooting I ran 'ss |less' and via TCP, I found the master connecting on odd ports and vice versa. Here's a "sanitized" example:

Netid  State      Recv-Q Send-Q Local Address:Port                 Peer Address:Port 
tcp    ESTAB      0      0      172.indexercluster.master.ip:8089                 172.indexercluster.member.06:41346
tcp    ESTAB      0      0      172.indexercluster.master.ip:8089                 172.indexercluster.member.04:47714
tcp    ESTAB      0      0      172.indexercluster.master.ip:40738                172.indexercluster.member.015:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:53218                172.indexercluster.member.010:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:57761                172.indexercluster.member.018:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:60002                172.indexercluster.member.012:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:54722                172.indexercluster.member.021:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:57434                172.indexercluster.member.014:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:8089                 172.indexercluster.member.010:40392
tcp    ESTAB      0      0      172.indexercluster.master.ip:57484                172.indexercluster.member.014:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:8089                 172.indexercluster.member.018:39212
tcp    ESTAB      0      0      172.indexercluster.master.ip:44492                172.indexercluster.member.013:8089

Is this normal communication or something strange?

Not sure I've noticed this before, so I wanted to see if anyone else has seen this.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-01-2019 07:14 AM

With a TCP connection the 'client' connects to the 'server' on a known or target port.
In the case of Splunk this is 8089. However since TCP is a bidirectional protocol it needs to tell the server which port to reply back on.
In most c/s architectures, the port the client chooses is a random 'high-number' port - 41346 from the top line is one such example.

The top line, is a connection from 'member6' using 41346 as its src port to the dest port 8089 on the master.

tcp    ESTAB      0      0      172.indexercluster.master.ip:8089                 172.indexercluster.member.06:41346

The third line, is a connection from the master with src port 40738 to the dest port 8089 on 'member15'

tcp    ESTAB      0      0      172.indexercluster.master.ip:40738                172.indexercluster.member.015:8089

What your seeing is totally normal TCP communication patterns.

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-01-2019 07:14 AM

With a TCP connection the 'client' connects to the 'server' on a known or target port.
In the case of Splunk this is 8089. However since TCP is a bidirectional protocol it needs to tell the server which port to reply back on.
In most c/s architectures, the port the client chooses is a random 'high-number' port - 41346 from the top line is one such example.

The top line, is a connection from 'member6' using 41346 as its src port to the dest port 8089 on the master.

tcp    ESTAB      0      0      172.indexercluster.master.ip:8089                 172.indexercluster.member.06:41346

The third line, is a connection from the master with src port 40738 to the dest port 8089 on 'member15'

tcp    ESTAB      0      0      172.indexercluster.master.ip:40738                172.indexercluster.member.015:8089

What your seeing is totally normal TCP communication patterns.

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

tkw03
Communicator
‎03-01-2019 08:06 AM

Thanks, was just making sure it wasn't something abnormal

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...