Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

iSCSI targets do not automatically re-connect after reboot ONLY when CHAP authentication is used

Posted on 2013-01-23
12
Medium Priority
?
3,243 Views
Last Modified: 2014-05-21
I have a Windows Storage Server 2008 R2 box and 2008 R2 Enterprise. I created my iSCSI targets on the WSS + added a virtual disk to ea iSCSI target. On the 2008 R2 Ent (initiator) server, when adding the WSS into the Discovery Target side, if i attempt to specify CHAP settings, it adds, but fails "Authentication Failure". It then populates the available targets, but i have to manually enter in the CHAP settings on each iSCSI target to be able to connect them the 2008 R2 Ent server - not a biggie, i can live with that (would rather not though). The problem is when the initiating server (2008 R2 Ent.) reboots, the targets dont automatically re-connect (but are still listed as available targets). I then have to go in and enter in the CHAP settings again. If i disable CHAP all together, everything populates, connects, and re-connects upon reboot. I need to be able to use CHAP for all iSCSI targets, and have them reconnect after every reboot without assistance (again, without using CHAP, this happens flawlessly).
FYI - Both servers are up-to-date as of 1/22/13 with Windows updates

Thanks in advance.
0
Comment
Question by:mhdcommunications
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38815376
Which CHAP settings are you using ?
0
 
LVL 30

Expert Comment

by:pgm554
ID: 38815661
What switches?
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38815991
@ArneLovius - I set CHAP authentication settings on the iSCSI targets on the WSS using a 16 character password. I have been messing aroung with this for a few days, and have tried numerous different passwords and UN, and all return the same result. On the Initiator side (2008 R2 Ent server), when adding the NAS to the Discovery tab as a Target Portal, and specifying the CHAP settings, it always fails authentication, but populates the iSCSI targets, and allows me to manually connect to them ONLY if i go into the Advanced tab and re-enter the CHAP settings (for Discovery, it doesnt matter if i specify the adapter/IP or leave it set to default - the same thing happens). With no authentication applied to iSCSI targets, and none specified on the initiator, Discovery + Target's reconnect without error or issue, even when rebooting.

@pgm554 - I dont see what the switches have to do with anything at all, but im using a stack of Cisco Catalyst 3500 series switches (1 x 24-port, 5 x 48 port)

Attached are screenshots just to help as a visual aid.
server.png
nas.png
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:mhdcommunications
ID: 38816008
Maybe im going about setting authentication the wrong way? I simply want a single password/secret or UN+PW set on the NAS for ALL iSCSI targets, even if i have to set them individually on each newly created target. If there is a better/global option for the WSS, let me know.
0
 
LVL 30

Expert Comment

by:pgm554
ID: 38816095
I've seen funny issues from time to time with spanning tree enabled on switches.

It may be timing out.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38816208
spanning tree would not affect CHAP authentication while not affecting no authentication...
0
 
LVL 30

Expert Comment

by:pgm554
ID: 38816286
No authentication means it's not waiting for a response from an AD or such to allow a login.
If spanning tree is causing the authentication to timeout,then it may be possibly be the culprit.

I had an issue with a Netware cluster and spanning tree timing out when failing back over a while back,and turning off stp on those affected ports fixed it.

If I'm wrong ,no big deal.

He could try another iSCSI target from somebody like Starwind just to see if it might be a "feature" with the MS piece.
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 2000 total points
ID: 38816667
Security is usually set per LUN rather than per iSCSI server.

Alternatively, there is more overhead, but you could try the IPSec option instead...
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38816673
AD is not involved with the Windows iSCSI target, the security is only within the iSCSI target.
0
 
LVL 1

Author Closing Comment

by:mhdcommunications
ID: 38817450
I setup an IPSec policy on the WSS server (Integrity only - no encryption) and added the IPSec settings to the initiator. Cannot connect to targets without using IPSec + they re-connect upon reboot. Thanks much.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38817936
That's great to hear :-)
0
 

Expert Comment

by:intermediagroup
ID: 40082593
Make sure add to favorites and enable muilti-path is selected when you connect to targets:
 

When you discover portal, click advanced, don’t use defaults click “Microsoft iSCSI Intiator” and you’re NIC IP for Initiator IP.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
Article by: evilrix
Looking for a way to avoid searching through large data sets for data that doesn't exist? A Bloom Filter might be what you need. This data structure is a probabilistic filter that allows you to avoid unnecessary searches when you know the data defin…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question