Thanks... any word on this? It's been a while since I asked my question. If I can't get the issue resolved soon I'll have to adapt my class to avoid using Parallel Studio.

Hi Peter,

Sorry for the delay.  I got a reply from our flexlm team a few days ago.  See below.  I'm checking with our flexlm engineer if netcat or squid would work with license manager.

"I am not aware of any way this could be made to work. I believe that the license manager uses TCP, not UDP, and then one is asking the remote Linux system to somehow forward the packets to another system. The only option here I am aware of is to 'borrow' a license, but that would make it unavailable on the main campus network."

Thanks.

Thanks for the information.

First I want to point out that getting the remote Linux machine to forward packets is exactly what an SSH tunnel does. The Linux system establishes a connection with the host behind the firewall, in this case the license manager. In the meantime on my system, off campus, a local port is opened that represents the remote connection. Any process that connects to localhost on that port has its traffic forwarded over the SSH connection (encrypted) and from there to the final endpoint via the Linux system. I use this routinely to access web servers from off campus that are not visible through the firewall... for example development systems... but it's a general mechanism that applies, as far as I know, to any TCP connection.

Also the fact that flexlm uses TCP is a good thing. I have heard (not sure if it's true) that SSH tunnels can't forward UDP traffic but it sounds like that's not an issue.

In any case I'd be interested to hear more about this "borrowing" of a license. How does that work? In my situation that would be a feasible solution as we have enough licenses to cover the on campus students and only a couple of students for whom the off campus access is essential. Should I open a different thread about this?

Thanks!

Peter,

As for borrowing, please refer to this article: <http://software.intel.com/en-us/articles/intel-flexlm-license-borrowing-capability>.

I'll try to set up an SSH tunnel in my own system, and test if it works with flexlm license manager.

Thanks.

Great, thanks! I looked into the borrowing feature and it doesn't look like it will work for me since one of my students is on the other side of the country and can't reasonably get the campus at all. I hope the tunneling approach can work!

Hi Peter,

I did an experiment earlier today.  I have two machines.  Machine A runs flexlm license manager.  I set up a port forwarding on Machine B with the following command:

# ssh -N root@machineA -L 30000:localhost:28518

Then, I set up env var like this:

# export INTEL_LICENSE_FILE=30000@localhost

Finally icc could run on machine B.

# icc -V
Intel(R) C Intel(R) 64 Compiler XE for applications running on Intel(R) 64, Version 13.1.3.192 Build 20130607
Copyright (C) 1985-2013 Intel Corporation.  All rights reserved.

On machine A, I can see license was checked out and then checked in.

 9:53:02 (INTEL) OUT: "ID8CBD2CF" root@machineB
 9:53:02 (INTEL) OUT: "CCompL" root@machineB
 9:53:02 (INTEL) IN: "CCompL" root@machineB
 9:53:02 (INTEL) IN: "ID8CBD2CF" root@machineB

 

In case that 1) Machine B can't connect to machine A via SSH.  2) B can connect to C via SSH, and C can connect to A.

Machine A (license manager) <-----> Machine C <------> Machine B (running icc)

In this case, you need to do something like this on Machine B:

# ssh -N root@machineC -L 30000:machineA:28518

 

This should do the magic.  Hopefully this works for you.

Thanks.

Thanks for checking that out. Unfortunately it doesn't work for me. It looks to me like you did your test using a Linux system to run the compiler. I'm using a Windows system so perhaps that makes a difference. Here are some specifics.

I tried it using both PuTTY and the ssh client in Cygwin. They both behaved the same way but I'll show the command I used in the Cygwin case. In particular:

$ ssh -p 2221 -N pchapin@lemuria.cis.vtc.edu -L 30000:wil237chirp.vtc.vsc.edu:28518

The -p 2221 option is necessary because we run our SSH server on a non-standard port. It's hard to see how that would matter. After doing this I used TCPView on my Windows system (basically netstat) and observed two entries for ssh.exe. The first looked like:

Protocol: TCP
Local Address: WIL414CHAPIN
Local Port: 30000
State: LISTENING

There was also a corresponding entry for IPv6 but it used a Local Address of wil414chapin.vtc.vsc.edu. Next I opened a command prompt for icl. In that command prompt I entered:

set INTEL_LICENSE_FILE=30000@localhost

When I try running icl I saw it repeatedly try (SYN_SENT state) to connect to localhost port 49258. It also appears to briefly ESTABLISH a connection with localhost port 30000 as expected. Yet I get this result (after a fairly long time delay):

===== BEGIN QUOTE =====

C:\Users\pcc09070>icl

Error: A license for CCompW is not available now (-96,7,11001).

A connection to the license server could not be made.  You should
make sure that your license daemon process is running: both an
lmgrd.exe process and an INTEL.exe process should be running
if your license limits you to a specified number of licenses in use
at a time.  Also, check to see if the wrong port@host or the wrong
license file is being used, or if the port or hostname in the license
file has changed.

License file(s) used were (in this order):
    1.  Trusted Storage
    2.  30000@localhost
    3.  C:\Program Files\Common Files\Intel\Licenses
    4.  C:\Program Files (x86)\Common Files\Intel\Licenses\USE_SERVER.lic
    5.  C:\PROGRA~2\Intel\COMPOS~1\bin\intel64\*.lic

Please visit http://software.intel.com/sites/support/ if you require technical assistance.

icl: error #10052: could not checkout FLEXlm license

===== END QUOTE =====

Any ideas about what I could try next? I feel like we are getting close.

Peter,

I'm attempting to do the same thing from a linux VM on my macbook.  From what I can tell that is happening on my end is that even though the port forwarding is happening correctly that the firewall on the FLEXLM server is still blocking the request.  tcpdump shows the traffic reaching the FLEXLM server but it still will not allow the traffic from my ip address.  When I first run icc it takes a long time to finally fail, but if I stop iptables while the icc process is waiting it will immediately respond and authenticates the flexlm request.  I haven't found a way around this yet, but that is our problem and it may be the same problem you are having.

EDIT: I found out an additional port needed to be forwarded, 46136 in order for it to work.

# ssh -N user@machineC -L 30000:machineA:28518 -L 46136:machineA:46136