Re: Failed to connect to cluster node

HenkJ_Snel · ‎2018-02-12

Hi,

I've a problem to connect to a cluster-node (ontap 83.2P1):

12:37:30.792 INFO [Create volume] ### Command 'Create volume' in 'POWER_SHELL' ###
12:38:02.199 INFO [Create volume] Get-WfaCredentials -Host xxx.xxx.xx.xx
12:38:02.230 INFO [Create volume] Credentials successfully provided for 'xxx.xxx.xx.xx'
12:38:02.246 INFO [Create volume] Connect-Controller -Type CLUSTER -Name xxx.xxx.xx.xx -Credential System.Management.Automation.PSCredential -Vserver
12:38:02.277 INFO [Create volume] Credentials successfully provided for xxx.xxx.xx.xx
12:38:02.324 INFO [Create volume] Connect-NcController (with credentials) -Name xxx.xxx.xx.xx -Timeout 60000 -ErrorAction Stop -Port 443 -SSLVersion TLSv1.2
12:38:02.558 ERROR [Create volume] Failed to connect to cluster node: xxx.xxx.xx.xx
12:38:02.668 ERROR [Create volume] Command failed for Workflow 'Dictu - FCP LUN: Create HP-UX (ONTAP 8.3)' with error : Failed to connect to cluster node: xxx.xxx.xx.xx.
12:38:02.668 INFO [Create volume] ***** Workflow Execution Failed *****

We are running WFA 4.2 (RC1).

It looks like that the cluster-node does not suppor TLSv1.2.

Does anybody know how to fix this problem?

Thanks.

Henk Snel

sundarea · ‎2018-02-12

Hi Henk Snel,

As part of security fix now the connections are only through TLS,

to solve this issue Either upgrade to new Ontap which has TLS or try using Perl instead of Powershell.

All the Ontap 9.0 will support TLS

Regards,

Sundar

yannb · ‎2018-02-12

What is the output of "system services web show" and "system services web node show" ?

HenkJ_Snel · ‎2018-02-12

xxxxxx::> system services web node show

Total Total

Node External HTTP Port HTTPs Port Status HTTP Requests Bytes Served

------------- -------- --------- ---------- -------- ------------- ------------

xxxxxx-01 true 80 443 online 6135 414543673

xxxxxx-02 true 80 443 online 17 11630

2 entries were displayed.

xxxxxx::> system services web show

External Web Services: true

Status: online

HTTP Protocol Port: 80

HTTPs Protocol Port: 443

TLSv1 Enabled: true

SSLv3 Enabled: false

SSL FIPS 140-2 Enabled: false

sinhaa · ‎2018-02-12

@HenkJ_Snel

The error is caused due to attempt to use TLSv1.2 needed by ONTAP 9.X FIPS enabled systems. But the part that got missed is that the old ONTAP 8.X like yours do not support TLSv1.2 and hence will fail to connect.

This is a regression is identified in WFA4.2RC1 and will be fixed in GA.

Now you can fix it yourself too:

1. Go to WFA\PoSH\Modules\WFAWrapper and Open the file WFAWrapper.psm1 for edit.

2. Find the line: $SSLversion = "TLSv1.2"

3. Modify it to : $SSLversion = "TLSv1"

4. Save.

5. Done. No need to restart any services.

Re-try your command/workflows, it will work.

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

HenkJ_Snel · ‎2018-02-12

Hi Sinhaa,

Thanks for your help. Unfortunately, now I am facing another error:

07:32:35.333 INFO [Modify Volume Efficiency] ### Command 'Modify Volume Efficiency' in 'POWER_SHELL' ###
07:33:06.630 INFO [Modify Volume Efficiency] Using cached cluster connection
07:33:06.677 INFO [Modify Volume Efficiency] Enabling volume efficiency: Set-NcSis -ErrorAction Stop -Name V_hpux_dictu_p_5536_002 -VserverContext fv102943 -Policy default
07:33:10.990 INFO [Modify Volume Efficiency] Updating existing volume efficiency: Set-NcSis -ErrorAction Stop -Name V_hpux_dictu_p_5536_002 -VserverContext fv102943 -Policy default
07:33:11.052 ERROR [Modify Volume Efficiency] Failed to update existing volume efficiency: V_hpux_dictu_p_5536_002. Message: Connection to xxx.xxx.xx using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length.
07:33:11.318 ERROR [Modify Volume Efficiency] Command failed for Workflow 'Dictu - FCP LUN: Create HP-UX (ONTAP 8.3)' with error : Connection to xxx.xxx.xx.xx using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length.
07:33:11.318 INFO [Modify Volume Efficiency] ***** Workflow Execution Failed *****

The command recommends to create a new certificate with a longer key lenght. The current certificate was created with a key lenght of 2048 bits.

Do we really to create a new certificate with a longer key lenght?

sinhaa · ‎2018-02-12

@HenkJ_Snel

I think connection cache is cauing this. Can you try the below.

1. go to \WFA\jboss\standalone\tmp\wfa\controllers_cache

2. And delete all the files present there.

3. Retry your command.

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

HenkJ_Snel · ‎2018-02-13

Hi Sinhaa,

I deleted all the files as per your request. I restarted the WFA services for sure. But the previous error comes up again.

Connection to 10.54.16.35 using HTTPS failed - The request was aborted: Could not create SSL/TLS secure channel.
The error may be resolved by generating a new certificate on the storage controller, with a longer key length. Location: Row '1' step 'Modify Volume Efficiency'.

HenkJ_Snel · ‎2018-02-13

Hi Sinhaa,

Do you happen to know when 4.2 (GA) will be available?