dgb
Contributor
Contributor

errors logging in to iscsi lun on equallogic

Hi,

We have 2 esx servers hooked into a Equallogic ps400e, and after upgrading one ESX to 3,5 we are seeing errors on the equallogic, even though the lun maps and can be used.

We have the iscsi set up as before (which was working) and the equallogic just checks on IP address (no initiator name or Chap) of both Servcie Console and VMKernel IP's.

The equallogic reports errors every 2 mins about "Initiator wants to skip security phase but we cannot" - and its always on the target ending ".....-vss-control." (that must be a clue). But the allocated 400Gb lun is mapped and usable to ESX.

I appreciate this may be more specific to our storage, but has anyone seen the same, got any ideas?

Many Thanks,

Daniel.

Tags (3)
0 Kudos
3 Replies
dgb
Contributor
Contributor

Equallogic support provided a document to explain this.

Using Chap authentication from the ESX got rid of the problem.

The Equallogic has a 'VSS' volume, for potential use by any Windows connections, which is CHAP protected - ESX without chap will try to connect to it and that produced the errors on the EQ box.

0 Kudos
michaelstarrwil
Contributor
Contributor

i am getting this exact error every two minutes. Where do i go to change the Chap to stop this error...Everything else works fine..

thanks

0 Kudos
glynnd1
Expert
Expert

Micheal, try this:

Error: initiator wanted to skip security phase but we cannot

If this message appears in the EqualLogic event log, then ESX is attempting to connect to a volume configured for CHAP credentials. The most common source is a control volume Microsoft Windows uses for Volume Shadow Services (VSS) called ‘vss-control’. By default, any initiator may discover this volume but cannot connect to it without CHAP credentials. The array is informing you that the ESX initiator (whether hardware or software) is attempting to connect to it without presenting a CHAP username/password.

If you will not be using VSS, one solution is to disable access to the VSS-control volume. In the Group Parameters menu in the EqualLogic GUI, select the VSS/VDS tab. Remove the ‘vsadmin’ access control entry.

If you are planning on using VSS, then use the EqualLogic option called “iSCSI Discovery Filter” in the Group Configuration->iSCSI menu. This will prevent non-CHAP configured initiators from discovering CHAP authenticated volumes – as a result, the ESX software initiator will not try to log into CHAP authenticated volumes when CHAP is not configured in the ESX initiator.

If you are using the Qlogic HBA you can remove the VSS-control connection via the ‘static mappings’ tab under Configuration->Storage Adapters->QLA4022->Properties.

If you are using the ESX software initiator you must restart the ESX server to correct this condition. Once the initiator has discovered the target, only a reboot will remove it from memory.

0 Kudos