Unable to set chap with esxi 4.1, IMA_VMW_SetMutua...

pentofi · ‎06-11-2012

QNAP: TS-EC1279U-RP
Firmware: 3.6.1 build 0302T
Esxi: 4.1, updated to latest available versions
ISCSI: Emulex Hardware iscsi HBAs, updated as well

I am able to configure and access ISCSI Targets without chap.

However, as soon as i try to configure chap credentials on the hba's or iscsi targets I always get:

Call "HostStorageSystem.UpdateInternetScsiAuthenticationProperties" for object "storageSystem" on ESXi "10.10.10.1" failed.
Operation failed, diagnostics report: iScsiLibException: status(c0000000): Invalid parameter; Message= IMA_VMW_SetMutualAuthParms

Google does only find 3 (sic!) unrelated search results with "Invalid parameter; Message= IMA_VMW_SetMutualAuthParms"

Examing /var/log/messages (esxi host) I find this sort of "garbage", it starts after the tail (really, this is the output, nothing lost or changed during copy/paste).

    Jun 10 18:46:48 shell[21962]: tail -f messages
    Jun 10 18:47:28 ost configuration." } Args:
    Jun 10 18:47:28 ",
    Jun 10 18:47:28 dynamicType = <unset>,
    Jun 10 18:47:28
    Jun 10 18:47:28 true,
    Jun 10 18:47:28 0,                    max =
    Jun 10 18:47:28 0,
    Jun 10 18:47:28              },
    Jun 10 18:47:28 {
    Jun 10 18:47:28             summary =
    Jun 10 18:47:28                value = 0,
    Jun 10 18:47:28 <unset>,
    Jun 10 18:47:28 rnetScsiHba.ParamValue) {
    Jun 10 18:47:28     },

???

Any ideas or advice is appreciated.

Thanks
Jim

vmroyale · ‎06-11-2012

Hello and welcome to the communities.

Which CHAP Security Level are you trying to specify?

pentofi · ‎06-11-2012

Hi!

The QNAP is setup with chap only (right now).

So it is CHAP only (non MUTUAL).

I just tried to configure MUTUAL (both QNAP and ESXi), but the MUTUAL option settings in the vclient property settings are staying deactivated (greyed out).

Some more log info, this time rescan all:

Jun 11 19:01:11 shell[378758]: tail -f messages
Jun 11 19:05:59 vmkernel: 1:00:49:24.580 cpu1:378782)ScsiScan: 1059: Path 'vmhba2:C0:T0:L1': Vendor: 'HP      ' Model: 'LOGICAL VOLUME ' Rev: '5.70'
Jun 11 19:05:59 vmkernel: 1:00:49:24.580 cpu1:378782)ScsiScan: 1062: Path 'vmhba2:C0:T0:L1': Type: 0x0, ANSI rev: 5, TPGS: 0 (none)
Jun 11 19:06:00 vmkernel: 1:00:49:25.676 cpu1:378782)ScsiScan: 1059: Path 'vmhba3:C0:T0:L0': Vendor: 'QNAP    ' Model: 'iSCSI Storage   ' Rev: '3.1 '
Jun 11 19:06:00 vmkernel: 1:00:49:25.676 cpu1:378782)ScsiScan: 1062: Path 'vmhba3:C0:T0:L0': Type: 0x0, ANSI rev: 5, TPGS: 3 (implicit and explicit)
Jun 11 19:06:01 vmkernel: 1:00:49:26.766 cpu0:378782)ScsiScan: 1059: Path 'vmhba4:C0:T0:L0': Vendor: 'QNAP    ' Model: 'iSCSI Storage   ' Rev: '3.1 '
Jun 11 19:06:01 vmkernel: 1:00:49:26.766 cpu0:378782)ScsiScan: 1062: Path 'vmhba4:C0:T0:L0': Type: 0x0, ANSI rev: 5, TPGS: 3 (implicit and explicit)
Jun 11 19:06:05 vmkernel: 1:00:49:30.513 cpu18:378787)Vol3: 1604: Could not open device 'naa.600508b1001cede79925318c91198f82:6' for probing: Permission denied
Jun 11 19:06:05 vmkernel: 1:00:49:30.513 cpu18:378787)Vol3: 644: Could not open device 'naa.600508b1001cede79925318c91198f82:6' for volume open: Permission denied
Jun 11 19:06:05 vmkernel: 1:00:49:30.517 cpu18:378787)Vol3: 1604: Could not open device 'naa.600508b1001cede79925318c91198f82:5' for probing: Permission denied
Jun 11 19:06:05 vmkernel: 1:00:49:30.518 cpu18:378787)Vol3: 644: Could not open device 'naa.600508b1001cede79925318c91198f82:5' for volume open: Permission denied
Jun 11 19:06:05 vmkernel: 1:00:49:30.544 cpu18:378787)Vol3: 1604: Could not open device 'naa.600508b1001cede79925318c91198f82:8' for probing: Permission denied
Jun 11 19:06:05 vmkernel: 1:00:49:30.545 cpu18:378787)Vol3: 644: Could not open device 'naa.600508b1001cede79925318c91198f82:8' for volume open: Permission denied

All "Advanced SCSI" settings are set to the defaults, I did not change them (hba->Properties->Advanced).

Again, I am able to list the non chap protected iscsi targets.

Jim

vmroyale · ‎06-11-2012

Can you try the "Use CHAP unless prohibited by target" security level? That is the only level listed as supported with the independent hardware adapter.

pentofi · ‎06-11-2012

Hi Brian.

In fact I did so, here the settings used:

Just because i was courious, I tried the same with a hardware identical server and ESXi 5.*, same experience.

As a result of the error message, no chap settings are stored with the "chap settings", so it is impossible to configure them via gui client.

I will try to connect the chap targets via "emulex bios console", give me a couple of minutes.

Thx

Jim

pentofi · ‎06-11-2012

Ok, the "couple of minutes" summed up quickly.

I was able to connect the chap protected target via the Emulex iscsi Utility

After leaving bios and starting the esxi host, the target showed up:

However:

1) only for the hba I previously configured the chap target in the emulex bios

2) Additional targets added with identical chap settings could not be detected (rescan)

3) Trying to manually add new targets via static discovery fails also

So for me it looks like some sort of "misunterstanding/communication issue" between esxi and emulex driver/adapter.

Again thx

Jim

pentofi · ‎06-15-2012

I investigated another few hours and found the following:

The server is a hp bl685 g7.

I used the latest available hp tailored esx installable (4.1 U2 from June).

Did a clean install.

The latest drivers are already included with the image, so everything is up to date:

/sbin # esxupdate query --v | grep be2
cross_oem-vmware-esx-drivers-net-be2net_400.4.1.334.0-1vmw.2.17.249663         installed     2012-05-16T20:41:30.828723+00:00
cross_oem-vmware-esx-drivers-scsi-be2iscsi_400.4.1.334.301-1vmw.0.0.343171     installed     2012-05-16T20:46:37.652539+00:00
cross_oem-vmware-esx-ima-be2iscsi_400.4.1.334.301-1vmw.0.0.343171              installed     2012-05-16T20:50:15.749832+00:00

These are the iscsi hba (emulex NC551m) supported authentication methods:

/sbin # vmkiscsi-tool -A -l vmhba3
---------------Inititator Authentication ------------

Supported Authentication Methods for Adapter vmhba3:
IMA_AUTHMETHOD_NONE
IMA_AUTHMETHOD_CHAP
---------------Mutual Authentication ------------

Supported Authentication Methods for Adapter vmhba3:
IMA_AUTHMETHOD_NONE
IMA_AUTHMETHOD_CHAP

Using vcenter to configure chap settings for the hbas (on any level, hba, server, target) there are 2 settings available:

"Do not use CHAP" which nicely maps to "IMA_AUTHMETHOD_NOE". And this setting works.

"Use CHAP unless prohibited by target" however fails to be set with an error.

So for me it seems like setting "Use CHAP unless prohibited by target" does not map to the hba supported option "IMA_AUTHMETHOD_CHAP".

Shouldn't it be something like "Use CHAP" in the vcenter config dialog?

But who knows, well yeah, the one who does the mapping, of course.

emulex?

hp?

vmware?

As already stated, I experienced the same, both with 4.1* and 5.*.

Maybe someone with insights could verify this?

Thx again

Jim

raz1 · ‎06-26-2012

I've spent a couple of days troubleshooting the exactly the same problem, I found the cause of my problem...

Chap authentication needs a secret of at 18 characters but the iscsi san I was using (Equalogic) allows you to configure chap with a much smaller secret. Once I’d set a new chap user with a longer password, I no longer get the error when inputing my chap credentials and I can see all the luns now.

hope that helps

Mohammed.

pentofi · ‎06-27-2012

Hi and thanks for Your suggestions.

As a matter of fact i tried to do so but I get the same results.

I am able to connect the scsi luns directly from the emulex hbas with passwords shorter than 18 chars.

So the problem is somewhere between vmware client, vsphere, esxi, emulex drivers.

All

Unable to set chap with esxi 4.1, IMA_VMW_SetMutualAuthParms