Question about ISCAgent Config

Question

Question

Scott Roth · Sep 7, 2023

#Mirroring #Health Connect #InterSystems IRIS #InterSystems IRIS for Health

We are noticing some issues with the communication between our Arbiter and our servers. Looking at the following documentation to limit connections, and logging...https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls?KEY=GHA_mirror_set_config#GHA_mirror_set_agent_port

if I am configuring the ISCAgent on the arbiter, would we set

application_server.interface_address=<ip_address>

to each IRIS server? Or does this mean to give it a specific NIC IP Address to use for communication? Does the ISCAgent have to be configured separate on each IRIS server?

Is there a way to limit which IP's it is communicating with an allow list? Currently we do not have a private network across the boxes, but looking to see how we can tighten down the communications.

Thanks

Product version: IRIS 2022.1

Discussion (3)2

Log in or sign up to continue

Jeffrey Drumm · Sep 8, 2023

I don't know of any other attributes, and increasing logging may turn up something but hasn't proved useful in my experience.

If your servers are reporting occasional disconnect errors, that's not necessarily a network issue, or even something to worry about. The mirror members may report disconnections due to things like snapshots/backups where one or more hosts are momentarily suspended by the hypervisor in a virtualized environment, or updates to the OS that might stop/start services as part of the update process. It's important to remember, though, that the arbiter is designed to operate optimally in a low-latency, same network, same data center scenario. If your mirrored hosts are spread across a WAN, you're asking for errors.

0 0

score 0 · Answer 1 · 2023-09-07T15:40:11-04:00

That setting allows you to specify an adapter address over which arbitration traffic will flow. It's a local address for situations where the arbiter server may have multiple adapters on different networks.

The IRIS servers establish the arbiter connection rather than the other way around, and you can have multiple mirror pairs us a single arbiter instance.

The ISCAgent is normally installed by default with IRIS, but may not be activated. On my mirrored servers, it's active, but I don't remember whether that happened automatically as part of the setup process, or I did it manually.

No allow list that I'm aware of, but if you want to restrict access to ISCAgent ports, add an adapter to each host, connected to a VLAN that is not routeable from outside that network. Configure application_server.interface_address to use it. You could also use the same network for mirror journal transmission/communication, and leverage QoS to allocate a fixed minimum amount of bandwidth that would be unavailable to other network traffic.

score 0 · Answer 2 · 2023-09-07T16:35:19-04:00

Is the attributes listed in the documentation the only attributes that can be configured in /etc/iscagent/iscagent.conf? Does turning the logging help with troubleshooting connection issues on the Arbiter?