Service Mapping connection discovery fails for targets with multiple IP addresses

J_rg Matz
Tera Contributor

In our setup, the mid server is located in an admin network, that can reach any server via its admin interface. The configuration files for applications usually use the public interface for communications. The public network and admin network are separated, so the admin server cannot reach the public interfaces of the targets.

Both public and admin IP address for the servers are discovered by horizontal discovery. Is there a way to "re-map" the public IP to the Admin IP of the same server before continuing the discovery of the connections.

Example is a SAP CI application linked to a HANA database via the public IP 10.1.2.3, whereas the admin address of the HANA DB server might be 100.4.5.6. Pinging 10.1.2.3 fails from MID-Server, but pinging 100.4.5.6 works. Connection via 100.4.5.6 may allow Mid-Server to gather the necessary information.

 

2 ACCEPTED SOLUTIONS

Appli
Mega Sage
Mega Sage

Hi, may be network team can grant access to public IP addresses of concerned CIs? it might be a most straight forward solution.

Hope it helps

View solution in original post

Hi, thank you for your clarification and detailed feedback! Well, I still believe an approach, where traffic from MID server to public IPs whitelisted on firewall/router level, is a solution here. Network team should be less concerned since Allow rule will have strictly defined src ip (= ip of MID server in Admin zone) and traffic will be routed over loopback interface or so. Not sure if OOTB functionality of ServiceNow ITOM can address the use case you explained, for me it is not.

View solution in original post

9 REPLIES 9

Appli
Mega Sage
Mega Sage

Hi, may be network team can grant access to public IP addresses of concerned CIs? it might be a most straight forward solution.

Hope it helps

J_rg Matz
Tera Contributor

Hi Appli,
thanks for the suggestion. but company policy restricts ssh usage to the admin interface. So having access to the public interface for Mid-Server will not really help. It would fail as soon as ssh is tried on the public IP, even if network traffic would be allowed.

Hi, thank you. Apparently one IP is set as ip_address attribute of CI, another IP  referenced over CI IPs tab of the same CI. What I can recommend - may be introduce BR that swaps IP addresses after CI is created/updated. Like if ip_address STARTS with 10., swaps it with the one that has 100. .

Hope it helps

J_rg Matz
Tera Contributor

Hi Appli,
not sure I understand what you're getting at. CMDB documentation ip_address field is not filled, the IPs in use are documented via NIC records related to the server CI.
I understand service discovery uses IP addresses or endpoint names from config files to build the connections. So these config files are the source. I also have read that for PROXY environments, an Admin address can be added for service discovery to use instead of the endpoint address.
I wonder if there is a similar functionality available for any endpoint beside proxies, and how to configure it (assign admin addresses to IP addresses). One of the options in "handle error" is to add an admin address, but using it has no effect.