Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it normal for an indexer cluster master to connect to peers on odd ports?

tkw03
Communicator
‎03-01-2019 06:30 AM

I was troubleshooting why peers show as "Pending" often in the cluster master web UI. In troubleshooting I ran 'ss |less' and via TCP, I found the master connecting on odd ports and vice versa. Here's a "sanitized" example:

Netid  State      Recv-Q Send-Q Local Address:Port                 Peer Address:Port 
tcp    ESTAB      0      0      172.indexercluster.master.ip:8089                 172.indexercluster.member.06:41346
tcp    ESTAB      0      0      172.indexercluster.master.ip:8089                 172.indexercluster.member.04:47714
tcp    ESTAB      0      0      172.indexercluster.master.ip:40738                172.indexercluster.member.015:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:53218                172.indexercluster.member.010:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:57761                172.indexercluster.member.018:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:60002                172.indexercluster.member.012:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:54722                172.indexercluster.member.021:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:57434                172.indexercluster.member.014:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:8089                 172.indexercluster.member.010:40392
tcp    ESTAB      0      0      172.indexercluster.master.ip:57484                172.indexercluster.member.014:8089
tcp    ESTAB      0      0      172.indexercluster.master.ip:8089                 172.indexercluster.member.018:39212
tcp    ESTAB      0      0      172.indexercluster.master.ip:44492                172.indexercluster.member.013:8089

Is this normal communication or something strange?

Not sure I've noticed this before, so I wanted to see if anyone else has seen this.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-01-2019 07:14 AM

With a TCP connection the 'client' connects to the 'server' on a known or target port.
In the case of Splunk this is 8089. However since TCP is a bidirectional protocol it needs to tell the server which port to reply back on.
In most c/s architectures, the port the client chooses is a random 'high-number' port - 41346 from the top line is one such example.

The top line, is a connection from 'member6' using 41346 as its src port to the dest port 8089 on the master.

tcp    ESTAB      0      0      172.indexercluster.master.ip:8089                 172.indexercluster.member.06:41346

The third line, is a connection from the master with src port 40738 to the dest port 8089 on 'member15'

tcp    ESTAB      0      0      172.indexercluster.master.ip:40738                172.indexercluster.member.015:8089

What your seeing is totally normal TCP communication patterns.

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-01-2019 07:14 AM

With a TCP connection the 'client' connects to the 'server' on a known or target port.
In the case of Splunk this is 8089. However since TCP is a bidirectional protocol it needs to tell the server which port to reply back on.
In most c/s architectures, the port the client chooses is a random 'high-number' port - 41346 from the top line is one such example.

The top line, is a connection from 'member6' using 41346 as its src port to the dest port 8089 on the master.

tcp    ESTAB      0      0      172.indexercluster.master.ip:8089                 172.indexercluster.member.06:41346

The third line, is a connection from the master with src port 40738 to the dest port 8089 on 'member15'

tcp    ESTAB      0      0      172.indexercluster.master.ip:40738                172.indexercluster.member.015:8089

What your seeing is totally normal TCP communication patterns.

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

tkw03
Communicator
‎03-01-2019 08:06 AM

Thanks, was just making sure it wasn't something abnormal

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...