Solved

iSCSI targets do not automatically re-connect after reboot ONLY when CHAP authentication is used

Posted on 2013-01-23
12
2,511 Views
Last Modified: 2014-05-21
I have a Windows Storage Server 2008 R2 box and 2008 R2 Enterprise. I created my iSCSI targets on the WSS + added a virtual disk to ea iSCSI target. On the 2008 R2 Ent (initiator) server, when adding the WSS into the Discovery Target side, if i attempt to specify CHAP settings, it adds, but fails "Authentication Failure". It then populates the available targets, but i have to manually enter in the CHAP settings on each iSCSI target to be able to connect them the 2008 R2 Ent server - not a biggie, i can live with that (would rather not though). The problem is when the initiating server (2008 R2 Ent.) reboots, the targets dont automatically re-connect (but are still listed as available targets). I then have to go in and enter in the CHAP settings again. If i disable CHAP all together, everything populates, connects, and re-connects upon reboot. I need to be able to use CHAP for all iSCSI targets, and have them reconnect after every reboot without assistance (again, without using CHAP, this happens flawlessly).
FYI - Both servers are up-to-date as of 1/22/13 with Windows updates

Thanks in advance.
0
Comment
Question by:mhdcommunications
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38815376
Which CHAP settings are you using ?
0
 
LVL 30

Expert Comment

by:pgm554
ID: 38815661
What switches?
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38815991
@ArneLovius - I set CHAP authentication settings on the iSCSI targets on the WSS using a 16 character password. I have been messing aroung with this for a few days, and have tried numerous different passwords and UN, and all return the same result. On the Initiator side (2008 R2 Ent server), when adding the NAS to the Discovery tab as a Target Portal, and specifying the CHAP settings, it always fails authentication, but populates the iSCSI targets, and allows me to manually connect to them ONLY if i go into the Advanced tab and re-enter the CHAP settings (for Discovery, it doesnt matter if i specify the adapter/IP or leave it set to default - the same thing happens). With no authentication applied to iSCSI targets, and none specified on the initiator, Discovery + Target's reconnect without error or issue, even when rebooting.

@pgm554 - I dont see what the switches have to do with anything at all, but im using a stack of Cisco Catalyst 3500 series switches (1 x 24-port, 5 x 48 port)

Attached are screenshots just to help as a visual aid.
server.png
nas.png
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38816008
Maybe im going about setting authentication the wrong way? I simply want a single password/secret or UN+PW set on the NAS for ALL iSCSI targets, even if i have to set them individually on each newly created target. If there is a better/global option for the WSS, let me know.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 38816095
I've seen funny issues from time to time with spanning tree enabled on switches.

It may be timing out.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38816208
spanning tree would not affect CHAP authentication while not affecting no authentication...
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 30

Expert Comment

by:pgm554
ID: 38816286
No authentication means it's not waiting for a response from an AD or such to allow a login.
If spanning tree is causing the authentication to timeout,then it may be possibly be the culprit.

I had an issue with a Netware cluster and spanning tree timing out when failing back over a while back,and turning off stp on those affected ports fixed it.

If I'm wrong ,no big deal.

He could try another iSCSI target from somebody like Starwind just to see if it might be a "feature" with the MS piece.
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38816667
Security is usually set per LUN rather than per iSCSI server.

Alternatively, there is more overhead, but you could try the IPSec option instead...
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38816673
AD is not involved with the Windows iSCSI target, the security is only within the iSCSI target.
0
 
LVL 1

Author Closing Comment

by:mhdcommunications
ID: 38817450
I setup an IPSec policy on the WSS server (Integrity only - no encryption) and added the IPSec settings to the initiator. Cannot connect to targets without using IPSec + they re-connect upon reboot. Thanks much.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38817936
That's great to hear :-)
0
 

Expert Comment

by:intermediagroup
ID: 40082593
Make sure add to favorites and enable muilti-path is selected when you connect to targets:
 

When you discover portal, click advanced, don’t use defaults click “Microsoft iSCSI Intiator” and you’re NIC IP for Initiator IP.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Having issues meeting security compliance criteria because of those pesky USB drives? Then I can help you! This article will explain how to disable USB Mass Storage devices in Windows Server 2008 R2.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now