I'm trying to monitor a remote jvm using jconsole. I need to do this monitoring through an OpenVPN network which might me part of the problem. This is the network configuration:
Server A Server B Server C
Jconsole JVM
10.171.0.1 <---> 10.170.0.1 <---> 10.170.0.14
When all servers are on different physical networks it doesn't work. When Server A
and Server C
are in the same physical network it works. In both cases the traceroute is the one described in the network configuration and looks something like this:
traceroute to 10.170.0.14 (10.170.0.14), 64 hops max, 52 byte packets
1 10.170.0.1 (10.170.0.1) 114.440 ms 109.152 ms 109.581 ms
2 10.170.0.14 (10.170.0.14) 234.207 ms 228.535 ms 229.630 ms
Any ideas on how to solve this?
[EDIT]
All systems are linux.
Jmx remote parameters are:
-Dcom.sun.management.jmxremote.port=8086
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
Server Server B (10.170.0.1)
is used as the bridge and firewall between the two networks. The firewall in 10.170.0.1
is as follows:
*filter
:INPUT DROP [1000:900000]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8086 -j ACCEPT
-A INPUT -p udp -m udp --dport 8086 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 13 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 30 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.171.0.1 -d 10.170.0.0/16 -j ACCEPT
-A FORWARD -s 10.171.0.3 -d 10.170.0.0/16 -j ACCEPT
-A FORWARD -s 10.170.0.0/16 -d 10.171.0.0/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
Long time since this question was asked, but since @mark showed some interest, here is how I eventually solved it. The problem was that the JVM was binding to the local IP address instead of the VPN IP address. It all worked by adding:
To the server that I wanted to monitor.
3 things worth trying if you haven't already: 1) get rid of the firewall rules on all machines completely, for testing (if you can do this) 2) if 1) isn't an option, set up 3 virtual machines that mimic the setup, with no firewalls -- doing this I found a similar problem with my own network. 3) make sure you have a keepalive in your openvpn client configuration file -- a line something like: keepalive 10 120
The similar problem I had was that my company network was set up to drop any inbound packets after x seconds of inactivity, so even though the VPN was technically still open, all traffic one direction was being dropped until some traffic came from the other side, then it worked.
Tried with Java 8
1. Cut and paste this in your jvm startup script:
2. Connect via ssh (and avoid VPN restrictions):
3. Open jconsole on your computer
4. Have fun!