Reason: Node "XXX" failed to allocate encryption resources. Please retry later or reboot...

August 17, 2020, 5:03 am

≫ Next: SIO_NTAP

≪ Previous: Few open cases are missing in the ONTAP report

$

0

0

We are using NetApp 9.4 and would like to enable encryption at rest. After running the following command successfully:

 

security key-manager setup

 

We are presented with the following error when trying to either create a new or convert an existing volume with encryption enabled.

 

Reason: Node "XXX" failed to allocate encryption resources. Please retry later or reboot the node

 The documentation does not mention that a reboot may be required. Is there something we have missed or is there another problem. Previous posts on the forum suggest that rebooting the nodes will work. I am also not sure what the impact would be of rebooting one of our 2 nodes. Will the client have to reconnect ?

 

Any guidance on this issue is much appreciated.

 

PS: The support site seems to be down so I wasn't able to raise a support case for this.

 

---

SIO_NTAP

August 17, 2020, 6:48 am

≫ Next: SVM DR: Failed to reactivate the SVM. Reason: undefined

≪ Previous: Reason: Node "XXX" failed to allocate encryption resources. Please retry later or reboot...

$

0

0

Hello, 

Does anyone have keep a copy have sio_ntap ? I think it has been removed from the support website and i wanted to use it to do some performance tests. 

Thanks !

SVM DR: Failed to reactivate the SVM. Reason: undefined

August 17, 2020, 9:25 am

≫ Next: Is there a way to getemail alerts when volumes fill up or get to a predetermined point?

≪ Previous: SIO_NTAP

$

0

0

Hi All,

 

I'm at a stump. I'm playing around with SVM DR as I want to implement it for DRP but its giving me an issue when trying to go back to the Source SVM and sadly it gives me a Reason Undefined error when doing it via System Manager.

 

 

Strange thing is when I run the process manually via CLI it works.

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.pow-dap/GUID-636DEBE4-31FB-49BA-931D-10911E6F70C5.html

 

Do you guys know how I can find out what exactly that Reason Undefined message means?

 

Both clusters are on 9.6P8, volume is unencrypted, first two times I tried volume efficiency was on and inline too.

 

Is there a way to getemail alerts when volumes fill up or get to a predetermined point?

August 17, 2020, 3:43 pm

≫ Next: two-way domain trust?

≪ Previous: SVM DR: Failed to reactivate the SVM. Reason: undefined

$

0

0

Is there a way to getemail alerts when volumes fill up or get to a predetermined point?

 

Im trying to get the MIB file from /etc/on the device and I not able to do that . The MIB download section says use the MIB from /etc... so how do I get it ?

 

two-way domain trust?

August 17, 2020, 5:32 pm

≫ Next: Snapmirror Synchronous isn't synching immediately

≪ Previous: Is there a way to getemail alerts when volumes fill up or get to a predetermined point?

$

0

0

I wanted to add Domain B as the trusted domain for Domain A? What steps do I have to go through?

 

1. Create two way trust in Domain A and then Domain B first in Active Directory Domain, right?

2. Use the following command to create the trust on Cluster:

vserver cifs domain name-mapping-search add -vserver vserver_name -trusted-domains FQDN, ...

3. What is the right command to verify?
4. Is there any commands to show if this is one-way or two-way on Cluster, or have to be on AD?

 

Please help in details. Thank you!

Snapmirror Synchronous isn't synching immediately

August 18, 2020, 10:55 am

≫ Next: Storage audit documents

≪ Previous: two-way domain trust?

$

0

0

We have two clusters that are both running 9.7P5.  On Cluster A, we have a volume that has a CIFS share associated with it.  We then have a Snapmirror Sync relationship with Cluster B.  For some reason, when a user updates a file in the original volume, the changes aren't replicated to Cluster B until 5 minutes after the hour (or a manual update).  Our understanding is that a write to the source volume would be written immediately to the source and destination?

 

Below is the information for the relationship in case it helps:

 

Oriole::> snapmirror show -destination-path oriole-svm:sm_s_prj004_NTFS

 

                            Source Path: cardinal-svm:prj004_NTFS

                       Destination Path: oriole-svm:sm_s_prj004_NTFS

                      Relationship Type: XDP

                Relationship Group Type: none

                    SnapMirror Schedule: -

                 SnapMirror Policy Type: sync-mirror

                      SnapMirror Policy: Sync

                            Tries Limit: -

                      Throttle (KB/sec): unlimited

                           Mirror State: Snapmirrored

                    Relationship Status: InSync

                File Restore File Count: -

                 File Restore File List: -

                      Transfer Snapshot: -

                      Snapshot Progress: -

                         Total Progress: -

              Network Compression Ratio: -

                    Snapshot Checkpoint: -

                        Newest Snapshot: snapmirror.477874a4-49e1-11e6-934f-00a098a22fa1_2153295841.2020-08-18_110500

              Newest Snapshot Timestamp: 08/18 11:05:00

                      Exported Snapshot: snapmirror.477874a4-49e1-11e6-934f-00a098a22fa1_2153295841.2020-08-18_110500

            Exported Snapshot Timestamp: 08/18 11:05:00

                                Healthy: true

                       Unhealthy Reason: -

                Destination Volume Node: Oriole-01

                        Relationship ID: 60d303d6-db52-11ea-9aa3-90e2ba9be160

                   Current Operation ID: -

                          Transfer Type: -

                         Transfer Error: -

                       Current Throttle: -

              Current Transfer Priority: -

                     Last Transfer Type: resync

                    Last Transfer Error: -

                     Last Transfer Size: 2.97KB

Last Transfer Network Compression Ratio: 1:1

                 Last Transfer Duration: 0:0:12

                     Last Transfer From: cardinal-svm:prj004_NTFS

            Last Transfer End Timestamp: 08/10 17:57:43

                  Progress Last Updated: -

                Relationship Capability: 8.2 and above

                               Lag Time: 0:0:0

           Identity Preserve Vserver DR: -

                 Volume MSIDs Preserved: -

                 Is Auto Expand Enabled: -

           Number of Successful Updates: 187

               Number of Failed Updates: 0

           Number of Successful Resyncs: 1

               Number of Failed Resyncs: 0

            Number of Successful Breaks: 0

                Number of Failed Breaks: 0

                   Total Transfer Bytes: 15879

         Total Transfer Time in Seconds: 12

Storage audit documents

August 19, 2020, 4:13 am

≫ Next: api error 13006: Vserver missing vserver parameter

≪ Previous: Snapmirror Synchronous isn't synching immediately

$

0

0

 

Hi,

 

I need netapp storage audit related documents for maintaining a number of netapp boxes and ITIL service documents.

Can someone guide me where do i find all those related details.

 

regards,

Karthik.

api error 13006: Vserver missing vserver parameter

August 19, 2020, 10:29 am

≫ Next: IOmeter parameters

≪ Previous: Storage audit documents

$

0

0

I am new to netapp ZAPI ,i am using python library available to connect netapp(https://pypi.org/project/netapp-api/) , connection is successful but when i try to create snapshot i get error :api error 13006: Vserver missing vserver parameter

 

please help to check the issue 

---

IOmeter parameters

August 20, 2020, 1:41 am

≫ Next: Audit file folder access from specific IP

≪ Previous: api error 13006: Vserver missing vserver parameter

$

0

0

Hi everybody ! 

 

I'm trying to use IOmeter to test a new AFF220 metrocluster. 

However, i don't really know which parameters to use to test it... 

 

How many workers should i use ? 

I don't really know what is Tranfert Request Size, Align I/Os if you have any ideas ? 

 

I did a try with 4K 100% random on a windows VM with 10 workers. Display results are showing  36K IOPS, however, on the LUN where resides the VM, can't go over 2000 IOPS.. Don't get that ! 

 

Thanks !

 

 

 

Audit file folder access from specific IP

August 20, 2020, 6:49 am

≫ Next: Powershell Invoke-NcSsh Sound

≪ Previous: IOmeter parameters

$

0

0

I'm looking for a way to see when users access CIFS on specific SVM from specific IP what files they are accessing. 

 

Have a network segment will be isolating and want to verify if clients in this range are accessing CIF shares.

 

 

Powershell Invoke-NcSsh Sound

August 20, 2020, 10:15 am

≫ Next: Unable to add storage system to VSA 9.7P2

≪ Previous: Audit file folder access from specific IP

$

0

0

Every time I use Invoke-NcSsh I get a system "ding." Odd request but when looping between multiple clusters this is annoying. 

 

Thoughts?

Unable to add storage system to VSA 9.7P2

August 20, 2020, 12:01 pm

≫ Next: Cross Vlan communication

≪ Previous: Powershell Invoke-NcSsh Sound

$

0

0

Hi, I was wondering if anyone has seen this issue. I am trying to add a storage to VSC 9.7P2 and I keep getting a "http error 401,OK"  I have tried clearing browser cache .  

VASA provider and SRA is running and registered with vSphere
VSC is also running and registered with vSphere

VCSA is 7.0

 

Cross Vlan communication

August 20, 2020, 2:26 pm

≫ Next: Space reclamation on FlexVol

≪ Previous: Unable to add storage system to VSA 9.7P2

$

0

0

Hello,

I am running ontap 9.7 and I am trying to figure out if there is a way to connect to a lif that is in a different vlan.

To give some background on our network it is set up like this with firewall open from workstations to servers in each department

 

10.10.20.0/24 = Department A workstations

10.10.25.0/24 = Department A Servers

10.10.30.0/24= Department B workstations

10.10.35.0/24 = Department B Servers

 

My networking Team is requesting that we mount our CIFS shares on our workstations through IPs in the server subnets to keep non workstation things off of the workstation subnets. 

 

Our set up on the netapp side currently looks like this.

 

we have ports e0c and e0d aggregated into a0a on both nodes and ports e0e and e0f aggregated into a0b on both nodes.

we then have VLANS set up on all 4 aggregated ports. ie a0a-20 a0a-25 a0a-30 a0a-35 on all 4 aggregated ports.

 

As far as I can see the VLANs are supposed to prevent traffic going between them. So is there a way for me to get the a workstation in vlan 20 to mount a share in vlan 25?

 

Thank you for any guidance you have!

 

 

 

 

Space reclamation on FlexVol

August 21, 2020, 10:41 am

≫ Next: how to provide https access for other users with admin role , what roles to create to use rest api

≪ Previous: Cross Vlan communication

$

0

0

Hello Team.

Vol A was 15TB, and later decreased to 10 TB due to less utilization. However, the logical used size as reported in vol show output is still the older one, and Logical Used Percentage: 144%. The volume has the following attributes set : Space SLO: none and Space Guarantee Style: volume. I know that when Space Guarantee Style is set to volume, ONTAP reserves certain set of blocks for that volume in the underlying aggregate. Now, the issue is, if I leave the volume as it is, would it be an issue in terms of space issues later on that cluster (since those blocks would still be reserved for this volume) ? I tried to run compaction but that won't work since the Space Guarantee Style is volume. I would really be grateful if somebody could share their expert insights. 

Please note: Vol has static data and is on Prod cluster.

how to provide https access for other users with admin role , what roles to create to use rest api

August 22, 2020, 6:07 am

≫ Next: What authentication method does CIFS server use for CIFS clients?

≪ Previous: Space reclamation on FlexVol

$

0

0

I could able to login via https if admin role is applied .  If role is changed then not able to login with https .

 

What roles do we need to create for using rest api . Basically i need it for snapmirror  monitoring  using apis.

 

 

---

What authentication method does CIFS server use for CIFS clients?

August 24, 2020, 11:37 am

≫ Next: Complexity requirements for local CIFS user passwords

≪ Previous: how to provide https access for other users with admin role , what roles to create to use rest api

$

0

0

 

I am confused about what authentication method is being used by the vservers here. please see the following two command and outputs. Thanks!

 

1. Based on the outputs, is this vserver using "MS-DC" or "KERBEROS"? My understanding is Kerberos should be the default.
2. What exactly "MS-DC" type  really is versus Kerberos or MS-LDAP? Is this same as NTLM?

*>cifs domain discovered-servers show -vserver vserver-name1

.....

Node: node-08
Vserver: vserver-name1

Domain Name Type Preference DC-Name DC-Address Status
--------------- -------- ---------- --------------- --------------- ---------
abc.organizat.com KERBEROS preferred dcservername01 1.1.1.5 undetermined
abc.organizat.com KERBEROS preferred dcservername02 1.1.1.6 undetermined
abc.organizat.com MS-LDAP preferred dcservername01 1.1.1.5 undetermined
abc.organizat.com MS-LDAP preferred dcservername02 1.1.1.6 undetermined
abc.organizat.com MS-DC preferred dcservername01 1.1.1.5 OK
abc.organizat.com MS-DC preferred dcservername02 1.1.1.6 undetermined

......

 

*>vserver cifs security show -vserver vserver-name1

Vserver: vserver-name1

 

Kerberos Clock Skew: 5 minutes
Kerberos Ticket Age: 10 hours
Kerberos Renewal Age: 7 days
Kerberos KDC Timeout: 3 seconds
Is Signing Required: false
Is Password Complexity Required: true
Use start_tls for AD LDAP connection: false
Is AES Encryption Enabled: false
LM Compatibility Level: lm-ntlm-ntlmv2-krb
Is SMB Encryption Required: false
Client Session Security: -
SMB1 Enabled for DC Connections: system-default
SMB2 Enabled for DC Connections: system-default
LDAP Referral Enabled For AD LDAP connections: false
Use LDAPS for AD LDAP connection: false

Complexity requirements for local CIFS user passwords

August 25, 2020, 4:15 am

≫ Next: Latency difference between LIFs on same port

≪ Previous: What authentication method does CIFS server use for CIFS clients?

$

0

0

Hi,

 

I would like to adjust complexity requirements (increase minimum length) for local CIFS users.

I cannot find how to modify below complexity setting.

Can someone help ?

 

clus01::*> cifs security show -vserver svm02 -fields is-password-complexity-required
vserver is-password-complexity-required
--------------- -------------------------------
svm02 true

 

The password must meet the following criteria:

• Must be at least six characters in length
• Must not contain the user account name
• Must contain characters from at least three of the following four categories:
  • English uppercase characters (A through Z)
  • English lowercase characters (a through z)
  • Base 10 digits (0 through 9)
  • Special characters:

    ~ ! @ # $ % ^ & * _ - + = ` \ | ( ) [ ] : ; " ' < > , . ? /  

Regards,

Jakub

Latency difference between LIFs on same port

August 25, 2020, 7:08 am

≫ Next: iscsi for Linux VM

≪ Previous: Complexity requirements for local CIFS user passwords

$

0

0

Hello!

 

I've been breaking my head over an issue I'm having with a 4-node MetroCluster FC (so 2 FAS8200 nodes per site) running in a production environment.

 

So I have two LIFs on the same controller, hosted on the same LACP group (tested with both one and two member ports). Accessing volumes through the first LIF, I saw latencies of up to 23ms. Accessing these same volumes on the second LIF, I saw latencies of up to 1ms. I'm measuring against volumes hosted on the same controller, as well as on the other controller, which gives me the same results.

 

I've done the usual things:

• Checked CPU/disk utilization (sysstat -x on all controllers): less than 25% CPU usage in a few minutes, less than 70% disk usage.
• Checked volume latency (qos statistics volume performance): 50µs latency. 
• Checked port usage through AIQUM: one physical port was using 9% of 10Gbps
• There is no duplicate IP in the subnet

 

Any help/suggestions are greatly appreciated! If you need any output of commands or logs, I'll provide them. As I have quite some output already, I didn't add it to the post as it would be a long post.

 

Thanks!

iscsi for Linux VM

August 25, 2020, 8:29 am

≫ Next: SSL Cert installation Question

≪ Previous: Latency difference between LIFs on same port

$

0

0

Can we map iSCSI lun to Linux VM?  Pros and Cons to be taken care. 

SSL Cert installation Question

August 26, 2020, 3:10 am

≫ Next: Is it possible to add additional NICs to an ONTAP Select Node?

≪ Previous: iscsi for Linux VM

$

0

0

Hi, 

   I'm working on setting up PKI for the cluster. I have successfully installed the certificate, but I don't see the proper cert on the browser. and when I ran "security ssl show" I don't see the certificate installed there. 

 

below is what I have done so far: 

1. Ran "security certificate generate-csr ......." to generate a cert request and a private key

2. I pasted the content of step 1 to create a servername.csr file. 

3. On my windows 10 laptop, I ran "certreq -submit -attrib [ ]" to get a CA signed certificate 

4. I ran "security certificate install -vserver [cluster name] -type client

              I got the successful message 

              The certificate shows in the "security certificate show" 

However, I don't see the cert in "security ssl show" nor on the web browser.

 

Any advice would be appreciated. thank you