Network connectivity issues or unresponsive interfaces
Configure multiple interfaces on the same subnet might cause certain interfaces to appear unresponsive or other network connectivity issues.
When we configure interfaces on an 8.0.0.x appliance, it is advisable to not configure IP addresses that in the same subnet across multiple interfaces. Starting from the 8.0.1.1 release, by default the appliance validates that overlapping subnets do not span multiple interfaces. But such validation can be manually overridden if we choose to do so.
Having a single subnet that spans multiple interfaces is discouraged in general networking terms. The appliance environment is no exception to this rule. Configuring the same subnet on multiple interfaces causes the routing table to contain duplicate routes, one for each interface.
Diagnosing the problem
If some interfaces seem to become unresponsive or when the packet trace seems to capture traffic only on one side, we might consider this problem.
Resolving the problem
Preferred method
The preferred way to rectify this problem is to configure different interfaces to be in different subnets. For example, changing the P.1 interface to a different subnet such as 192.168.150.250 / 24 creates distinct routing table entries.
Alternate method This approach is not advisable if the appliance is being installed in the DMZ. Since the management interface and any reverse proxy instances have the same IP address, management services might possibly be exposed to the public.
Start with IBM Security Access Manager 8.0.0.5, reverse proxy instances can listen on all interfaces and do not need to be tied to a specific application interface. Therefore, it is no longer mandatory to configure application interfaces on the appliance.
During configuration of a new reverse proxy instance, specifying 0.0.0.0 for the IP address of the primary interface ensures the new instance listens on all the interfaces, including the management interface M.1.
For existing reverse proxy instances, the primary interface can be changed by selecting the instance, clicking Edit, and then modifying the values on the Server tab. When you change the network interface on which an existing reverse proxy instance is listening, ensure that no other services are listening on the ports specified under HTTPS Port and HTTP Port. Otherwise, the reverse proxy instance might fail to start.
By default, ports 80 and 443 on the management interface are used by the local management interface. If a reverse proxy instance needs to listen on those ports, we can change the default port values used by the local management interface through the Administrator Settings panel.
Parent topic: Common Security Verify Access problems