Solved

iSCSI targets do not automatically re-connect after reboot ONLY when CHAP authentication is used

Posted on 2013-01-23
12
2,558 Views
Last Modified: 2014-05-21
I have a Windows Storage Server 2008 R2 box and 2008 R2 Enterprise. I created my iSCSI targets on the WSS + added a virtual disk to ea iSCSI target. On the 2008 R2 Ent (initiator) server, when adding the WSS into the Discovery Target side, if i attempt to specify CHAP settings, it adds, but fails "Authentication Failure". It then populates the available targets, but i have to manually enter in the CHAP settings on each iSCSI target to be able to connect them the 2008 R2 Ent server - not a biggie, i can live with that (would rather not though). The problem is when the initiating server (2008 R2 Ent.) reboots, the targets dont automatically re-connect (but are still listed as available targets). I then have to go in and enter in the CHAP settings again. If i disable CHAP all together, everything populates, connects, and re-connects upon reboot. I need to be able to use CHAP for all iSCSI targets, and have them reconnect after every reboot without assistance (again, without using CHAP, this happens flawlessly).
FYI - Both servers are up-to-date as of 1/22/13 with Windows updates

Thanks in advance.
0
Comment
Question by:mhdcommunications
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38815376
Which CHAP settings are you using ?
0
 
LVL 30

Expert Comment

by:pgm554
ID: 38815661
What switches?
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38815991
@ArneLovius - I set CHAP authentication settings on the iSCSI targets on the WSS using a 16 character password. I have been messing aroung with this for a few days, and have tried numerous different passwords and UN, and all return the same result. On the Initiator side (2008 R2 Ent server), when adding the NAS to the Discovery tab as a Target Portal, and specifying the CHAP settings, it always fails authentication, but populates the iSCSI targets, and allows me to manually connect to them ONLY if i go into the Advanced tab and re-enter the CHAP settings (for Discovery, it doesnt matter if i specify the adapter/IP or leave it set to default - the same thing happens). With no authentication applied to iSCSI targets, and none specified on the initiator, Discovery + Target's reconnect without error or issue, even when rebooting.

@pgm554 - I dont see what the switches have to do with anything at all, but im using a stack of Cisco Catalyst 3500 series switches (1 x 24-port, 5 x 48 port)

Attached are screenshots just to help as a visual aid.
server.png
nas.png
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38816008
Maybe im going about setting authentication the wrong way? I simply want a single password/secret or UN+PW set on the NAS for ALL iSCSI targets, even if i have to set them individually on each newly created target. If there is a better/global option for the WSS, let me know.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 38816095
I've seen funny issues from time to time with spanning tree enabled on switches.

It may be timing out.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38816208
spanning tree would not affect CHAP authentication while not affecting no authentication...
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 30

Expert Comment

by:pgm554
ID: 38816286
No authentication means it's not waiting for a response from an AD or such to allow a login.
If spanning tree is causing the authentication to timeout,then it may be possibly be the culprit.

I had an issue with a Netware cluster and spanning tree timing out when failing back over a while back,and turning off stp on those affected ports fixed it.

If I'm wrong ,no big deal.

He could try another iSCSI target from somebody like Starwind just to see if it might be a "feature" with the MS piece.
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38816667
Security is usually set per LUN rather than per iSCSI server.

Alternatively, there is more overhead, but you could try the IPSec option instead...
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38816673
AD is not involved with the Windows iSCSI target, the security is only within the iSCSI target.
0
 
LVL 1

Author Closing Comment

by:mhdcommunications
ID: 38817450
I setup an IPSec policy on the WSS server (Integrity only - no encryption) and added the IPSec settings to the initiator. Cannot connect to targets without using IPSec + they re-connect upon reboot. Thanks much.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38817936
That's great to hear :-)
0
 

Expert Comment

by:intermediagroup
ID: 40082593
Make sure add to favorites and enable muilti-path is selected when you connect to targets:
 

When you discover portal, click advanced, don’t use defaults click “Microsoft iSCSI Intiator” and you’re NIC IP for Initiator IP.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now