Solved

iSCSI targets do not automatically re-connect after reboot ONLY when CHAP authentication is used

Posted on 2013-01-23
12
2,655 Views
Last Modified: 2014-05-21
I have a Windows Storage Server 2008 R2 box and 2008 R2 Enterprise. I created my iSCSI targets on the WSS + added a virtual disk to ea iSCSI target. On the 2008 R2 Ent (initiator) server, when adding the WSS into the Discovery Target side, if i attempt to specify CHAP settings, it adds, but fails "Authentication Failure". It then populates the available targets, but i have to manually enter in the CHAP settings on each iSCSI target to be able to connect them the 2008 R2 Ent server - not a biggie, i can live with that (would rather not though). The problem is when the initiating server (2008 R2 Ent.) reboots, the targets dont automatically re-connect (but are still listed as available targets). I then have to go in and enter in the CHAP settings again. If i disable CHAP all together, everything populates, connects, and re-connects upon reboot. I need to be able to use CHAP for all iSCSI targets, and have them reconnect after every reboot without assistance (again, without using CHAP, this happens flawlessly).
FYI - Both servers are up-to-date as of 1/22/13 with Windows updates

Thanks in advance.
0
Comment
Question by:mhdcommunications
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38815376
Which CHAP settings are you using ?
0
 
LVL 30

Expert Comment

by:pgm554
ID: 38815661
What switches?
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38815991
@ArneLovius - I set CHAP authentication settings on the iSCSI targets on the WSS using a 16 character password. I have been messing aroung with this for a few days, and have tried numerous different passwords and UN, and all return the same result. On the Initiator side (2008 R2 Ent server), when adding the NAS to the Discovery tab as a Target Portal, and specifying the CHAP settings, it always fails authentication, but populates the iSCSI targets, and allows me to manually connect to them ONLY if i go into the Advanced tab and re-enter the CHAP settings (for Discovery, it doesnt matter if i specify the adapter/IP or leave it set to default - the same thing happens). With no authentication applied to iSCSI targets, and none specified on the initiator, Discovery + Target's reconnect without error or issue, even when rebooting.

@pgm554 - I dont see what the switches have to do with anything at all, but im using a stack of Cisco Catalyst 3500 series switches (1 x 24-port, 5 x 48 port)

Attached are screenshots just to help as a visual aid.
server.png
nas.png
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:mhdcommunications
ID: 38816008
Maybe im going about setting authentication the wrong way? I simply want a single password/secret or UN+PW set on the NAS for ALL iSCSI targets, even if i have to set them individually on each newly created target. If there is a better/global option for the WSS, let me know.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 38816095
I've seen funny issues from time to time with spanning tree enabled on switches.

It may be timing out.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38816208
spanning tree would not affect CHAP authentication while not affecting no authentication...
0
 
LVL 30

Expert Comment

by:pgm554
ID: 38816286
No authentication means it's not waiting for a response from an AD or such to allow a login.
If spanning tree is causing the authentication to timeout,then it may be possibly be the culprit.

I had an issue with a Netware cluster and spanning tree timing out when failing back over a while back,and turning off stp on those affected ports fixed it.

If I'm wrong ,no big deal.

He could try another iSCSI target from somebody like Starwind just to see if it might be a "feature" with the MS piece.
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38816667
Security is usually set per LUN rather than per iSCSI server.

Alternatively, there is more overhead, but you could try the IPSec option instead...
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38816673
AD is not involved with the Windows iSCSI target, the security is only within the iSCSI target.
0
 
LVL 1

Author Closing Comment

by:mhdcommunications
ID: 38817450
I setup an IPSec policy on the WSS server (Integrity only - no encryption) and added the IPSec settings to the initiator. Cannot connect to targets without using IPSec + they re-connect upon reboot. Thanks much.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38817936
That's great to hear :-)
0
 

Expert Comment

by:intermediagroup
ID: 40082593
Make sure add to favorites and enable muilti-path is selected when you connect to targets:
 

When you discover portal, click advanced, don’t use defaults click “Microsoft iSCSI Intiator” and you’re NIC IP for Initiator IP.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question