We help IT Professionals succeed at work.

Hyper-V Replica establishing problem

2,343 Views
Last Modified: 2017-05-16
Hi there!
I have another strange issue, let me explain what is going on.

I have two machines (server1 and server2) with Windows Hyper-V server 2016 (the free one). Both connected in really simple Active Directory. Aditionally I have a management server with GUI server OS.
Both servers was connected to the same switch in my office, so I can establish replication of one VM located on server2 to the server1. Everything is going smoothly for couple of days.

Then I take the server2 and bring it to the remote site where already was Mikrotik router with IPSec VPN tunnel to my Office site. Just after that, replication stops working - so I let it running for some days to let settings settle down. After that days I removed the replication and try to make new one.

There Im getting error:

Hyper-V failed to enable replication.
Hyper-V failed to enable replication for virtual machine 'XXX': The connection with the server was terminated abnormally (0x00002EFE).

On the server1 - in my office - the secondary one, there is event:
ID: 29212
Source: Hyper-V-VMMS
Text:Hyper-V failed to authenticate the primary server using Kerberos authentication. Error: The I/O operation has been aborted because of either a thread exit or an application request. (0x800703E3)

On the server2 - the remote site, there is also only one event:
ID: 32000
Source: Hyper-V-VMMS
Text:Hyper-V failed to enable replication for virtual machine 'XXX': The connection with the server was terminated abnormally (0x00002EFE). (Virtual machine ID CABxxxxxxxxxxxxxxxxxxxxxx846)

Im trying to resolve it some days and situation gets that serious that I install the Wireshark on both Hyper-V servers and trying to catch the traffic - and request and response is not the same on server1 and server2.

1st http request is having incomplete response on the client side (server2)
2nd http request responses with "HTTP Error 400. The request is badly formed." but that response never reach the server2

That means server1 i sending a response that never hit the server2.

On my office site with server1 there is KerioControl, on the remote site with server2 there is a Mikrotik router interconnected by IPSec VPN tunnel, that is working well in all other tasks what Im using it for.

Im suspecting the Kerio Control security mechanisms such as antivirus or the IPS, but I already shut the features off and it is not working. Also logs are clear, no errors reported at all...

Please do you have some other things to try?

Best regards,
Jan
Comment
Watch Question

Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
Step 1: Main site: Set exceptions in Windows Firewall to allow inbound packets from the remote site's subnet.
Step 2: In ADUC set up Constrained Delegation for CIFS pointing to the other server to allow credentials delegation.
Step 3: After setting KD up either reboot the server or restart the VMMS service on both servers.

It should just work.
Jan Vojtech VanicekIT Specialist

Author

Commented:
Thank you, Philip,
that are the things that I had already set. It is first thing that came up on goole search. Im pretty sure that it is not Windows firewall issue since I was disable it on all involved servers to give it a try...

Also DNS and Kerberos are working fine on remote location...
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
Disabling the Windows Firewall does not turn it off it only places it in a kind of limp mode.

It's better to turn on Pop-Ups for new outbound protocol requests and logging for all failed requests. Logging makes it clear in a moment that the firewall is not to blame.

So, Constrained Delegation for CIFS is set up for both endpoints? The authentication error in the log entry above indicates that is the source of the problem.

MicroTik routers are a pain to work with especially for VPNs. Make sure it is not blocking anything.

Make sure to use the fully qualified domain name (FQDN) in all requests (server.domain.com) not just the server name. Is DNS on site 2 server pointing to site 1's DNS server?
Jan Vojtech VanicekIT Specialist

Author

Commented:
From wireshark observation, I could state that Windows firewall is not a problem.

Yes - delegation is set up correctly, it was working on the same switch.

Regarding Mikrotik - Im not sure, but all other domain related services are working well, I can access shares over VPN, etc...

I am using DNS on 1st site, where is Active Directory controller with all FSMO roles and time source.

Im startting to suspect Kerio Control and some of its security feature, but why the god it is not logging any error to the log even in extended logging setup?
Technical Architect - HA/Compute/Storage
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Jan Vojtech VanicekIT Specialist

Author

Commented:
No, Kerio Control is Linux Appliance, Firewall, VPN Concentrator, HTTP, FTP, POP3, SMTP, IMAP antivirus and IPS
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
Are you able to use WireShark to gain insight into packet flow between sites?
Jan Vojtech VanicekIT Specialist

Author

Commented:
Yeah, and it is very strange:

I have run the Wireshark on the SERVER1 and SERVER2 at the same time, and tried to setup the replication. On the primary replica server (SERVER2) I can see two http requests to the SERVER1. On the SERVER1 I can see the same requests and also full response, but the responses do not arrive on the SERVER2 - there I can see only a few bytes of a response.

I m not using any proxy server nor security solution in this way excluding the Kerio Control. But as I stated before, any of this features are temporarily off.

So OK, I'm going to make support ticket on Kerio support.
Jan Vojtech VanicekIT Specialist

Author

Commented:
Whoooop! In Kerio Control - Service definitions, there is a Inspection module on port 80 - HTTP. I was disabled it and now it is working!!!
Thank you for your effort Philip!
Jan Vojtech VanicekIT Specialist

Author

Commented:
It was really caused by security software, but not on the host, but on the firewall. Thank you once more!
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
Glad to help point in the right direction.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.