NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
iSCSI Authorization failure
We purchased a Readynas 3100 of 8TB (5.5 TB usable storage) to use in an ESX environment of 4 ESXi servers and 25 VMs. (mainly linux, but a couple of windows servers as well.)
-I created 1 iSCSI target and 3 LUNs. (Since ESX cannot VMFS format disks larger than 2TB)
-I Enabled the "Access Control" (to support multiple hosts simultaneously)
-I did not configured CHAP authentication
Before installing the storage server in the data center I wanted to test the iSCSI connection from my windows 7 workstation.
After entering the IP address I discover the Target.
But when I want to connect I get "Authorization failure" :(
How can that be since I haven't configured CHAP?
All information is welcome.
-------------------------
An extra question on the side.
I configured 1 target and 3 LUNs. is this the bast way to go? Or is it better to create 3 targets with each 1 LUN? :?
Now I can easily change this, once live in production I can't anymore.
-I created 1 iSCSI target and 3 LUNs. (Since ESX cannot VMFS format disks larger than 2TB)
-I Enabled the "Access Control" (to support multiple hosts simultaneously)
-I did not configured CHAP authentication
Before installing the storage server in the data center I wanted to test the iSCSI connection from my windows 7 workstation.
After entering the IP address I discover the Target.
But when I want to connect I get "Authorization failure" :(
How can that be since I haven't configured CHAP?
All information is welcome.
-------------------------
An extra question on the side.
I configured 1 target and 3 LUNs. is this the bast way to go? Or is it better to create 3 targets with each 1 LUN? :?
Now I can easily change this, once live in production I can't anymore.
10 Replies
Replies have been turned off for this discussion
- I am not sure about VMWare but I am pretty sure you need to use CHAP authentication if you enable access control.
- CHAP and the access control list are different.
When you enable the ACL, you need to actually enter the IQN(this is available in the iSCSI initiator you're using) from each client to the list(enter it, then hit add, enter the next, hit add). Otherwise with the ACL activated but nothing in the list, no clients are authorized to have access to the LUN. - Thanks, didn't realize that.
Grievous wrote: CHAP and the access control list are different.
When you enable the ACL, you need to actually enter the IQN(this is available in the iSCSI initiator you're using) from each client to the list(enter it, then hit add, enter the next, hit add). Otherwise with the ACL activated but nothing in the list, no clients are authorized to have access to the LUN.
Thx for your reply.
Do I have to configure this ACL if I connect from multiple initiators to it?
Our iSCSI network is an isolated vlan it has no security required.
I mean is this only for security purpose (so I can leave it disabled) or is this really required since I will have problems otherwise connecting with multiple ESX servers to the same LUN?- Yes, you need to add the IQN of every initiator that will be connecting. it is required for the iSCSI daemon on the ReadyNAS to use the persistent reservations needed to maintain multiple connections otherwise it'll just keep kicking the first client off once the second connects.
Grievous wrote: Yes, you need to add the IQN of every initiator that will be connecting. it is required for the iSCSI daemon on the ReadyNAS to use the persistent reservations needed to maintain multiple connections otherwise it'll just keep kicking the first client off once the second connects.
Hello,
In the meantime the device is in the datacenter. So I can configure and test it remotely.
-I created 1 target and 3 LUNs
-I added in the LUN configuration all the IQNs if the ESX servers connecting to the storage.
-On the ESX servers I added the IP address of the ReadyNAS to the iSCSI software initiator > Dynamic Discover.
-I let the ESX server do a rescan all
-After the rescan I see in the iSCSI software initiator on the ESX server in tab 'Static Discovery' the Target name of the ReadyNAS.
-But I don't see any storage volumes I can create a datastore on.
So the connection is there, otherwise the ESX servers would not see the name I configured on the ReadyNAS, but I dont have the LUNs available, although I configured the Access Control and added all the Initiator IQNs. (I used copy-paste so no typo's).
Anyone has an idea, all help is appreciated.- Can you open Frontview and go to System -> Config Backup -> Backup, download the whole thing and send that to me as if it were logs(info for that is in my signature)?
- Thanks for the info you send via PM.
My problem is solved now but I want to share the solution.
The problem was this:
-Whan installing the ESX server I gave it an uppercase name.
In the IQN information, you see the hostname as part of the IQN name and it shows the hostname in uppercase.
So I did a copy-paste of that IQN name for the Access Control configuration to avoid typos.
But it seems that an IQN name is ALWAYS LOWERCASE, (This is iSCSI standard i did not know) regardless what ESX shows what the IQN name is.
I changed the IQN name to lowercase in the ReadyNAS and the volumes are now visible on the ESX server.
Maybe this could be a tip for future firmwares, to do a check when someone is entering an IQN that everything is lowercase and if needed automatically change all uppercase to lowercase. - I'll see what we can do about making a note for that. It is indeed confusing especially when the client displays mixed case.
- Thank you for the answer!!! could not figure out what the heck i was doing wrong... guys maybe put a warning or something that everything has to be lower case.
Thank you
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
