iSCSI targets do not automatically re-connect after reboot ONLY when CHAP authentication is used

I have a Windows Storage Server 2008 R2 box and 2008 R2 Enterprise. I created my iSCSI targets on the WSS + added a virtual disk to ea iSCSI target. On the 2008 R2 Ent (initiator) server, when adding the WSS into the Discovery Target side, if i attempt to specify CHAP settings, it adds, but fails "Authentication Failure". It then populates the available targets, but i have to manually enter in the CHAP settings on each iSCSI target to be able to connect them the 2008 R2 Ent server - not a biggie, i can live with that (would rather not though). The problem is when the initiating server (2008 R2 Ent.) reboots, the targets dont automatically re-connect (but are still listed as available targets). I then have to go in and enter in the CHAP settings again. If i disable CHAP all together, everything populates, connects, and re-connects upon reboot. I need to be able to use CHAP for all iSCSI targets, and have them reconnect after every reboot without assistance (again, without using CHAP, this happens flawlessly).
FYI - Both servers are up-to-date as of 1/22/13 with Windows updates

Thanks in advance.
LVL 1
mhdcommunicationsAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
ArneLoviusConnect With a Mentor Commented:
Security is usually set per LUN rather than per iSCSI server.

Alternatively, there is more overhead, but you could try the IPSec option instead...
0
 
ArneLoviusCommented:
Which CHAP settings are you using ?
0
 
pgm554Commented:
What switches?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
mhdcommunicationsAuthor Commented:
@ArneLovius - I set CHAP authentication settings on the iSCSI targets on the WSS using a 16 character password. I have been messing aroung with this for a few days, and have tried numerous different passwords and UN, and all return the same result. On the Initiator side (2008 R2 Ent server), when adding the NAS to the Discovery tab as a Target Portal, and specifying the CHAP settings, it always fails authentication, but populates the iSCSI targets, and allows me to manually connect to them ONLY if i go into the Advanced tab and re-enter the CHAP settings (for Discovery, it doesnt matter if i specify the adapter/IP or leave it set to default - the same thing happens). With no authentication applied to iSCSI targets, and none specified on the initiator, Discovery + Target's reconnect without error or issue, even when rebooting.

@pgm554 - I dont see what the switches have to do with anything at all, but im using a stack of Cisco Catalyst 3500 series switches (1 x 24-port, 5 x 48 port)

Attached are screenshots just to help as a visual aid.
server.png
nas.png
0
 
mhdcommunicationsAuthor Commented:
Maybe im going about setting authentication the wrong way? I simply want a single password/secret or UN+PW set on the NAS for ALL iSCSI targets, even if i have to set them individually on each newly created target. If there is a better/global option for the WSS, let me know.
0
 
pgm554Commented:
I've seen funny issues from time to time with spanning tree enabled on switches.

It may be timing out.
0
 
ArneLoviusCommented:
spanning tree would not affect CHAP authentication while not affecting no authentication...
0
 
pgm554Commented:
No authentication means it's not waiting for a response from an AD or such to allow a login.
If spanning tree is causing the authentication to timeout,then it may be possibly be the culprit.

I had an issue with a Netware cluster and spanning tree timing out when failing back over a while back,and turning off stp on those affected ports fixed it.

If I'm wrong ,no big deal.

He could try another iSCSI target from somebody like Starwind just to see if it might be a "feature" with the MS piece.
0
 
ArneLoviusCommented:
AD is not involved with the Windows iSCSI target, the security is only within the iSCSI target.
0
 
mhdcommunicationsAuthor Commented:
I setup an IPSec policy on the WSS server (Integrity only - no encryption) and added the IPSec settings to the initiator. Cannot connect to targets without using IPSec + they re-connect upon reboot. Thanks much.
0
 
ArneLoviusCommented:
That's great to hear :-)
0
 
intermediagroupCommented:
Make sure add to favorites and enable muilti-path is selected when you connect to targets:
 

When you discover portal, click advanced, don’t use defaults click “Microsoft iSCSI Intiator” and you’re NIC IP for Initiator IP.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.