I am re-installing (wipeconfig, new software first, yada, yada) an AFF-A300 nodes and hit something new.   I exit out of the setup at the (join / create) and turn on cdp (system node run -node localhost -command options cdpd.enable on) to validate as-built cabling matches expected/design.  The two AFF A300 nodes are showing lldp entries from three different cisco devices, but not any cdp entries for any device.   AFF-A300 running 9.14.1P5 (chosen to match FAS8200 cluster it will be eventually joining.)  The destination cluster pair of FAS8200s are connected to the c2921(light out management) and N5K data switches, and are receiving/sending CDP advertisements without issues.  So, all roads point to AFFs/ONATP as culprit.    Yes, each AFF can ping the cluster LIFs of the other node, both nodes rebooted. It may be that nodes must be fully baked into a cluster before cdp actually works? It may be something with this version and patch of ONTAP as fresh install, so OS change? No technical case opened, yet, sharing the love first. Will update when solved.   [Names and MAC Addr changed to protect the innocent until proven guilty] ::> network device-discovery show -fields protocol node      protocol port discovered-device                        interface --------- -------- ---- ---------------------------------------- --------- localhost lldp     e0M  "c2921 (94:d4:69:00:00:00)"              Fa0/7 localhost lldp     e0a  "N9K-C9336C-FX2-01 (7c:ad:00:00:00:00)"  Ethernet1/1/2 localhost lldp     e0b  "N9K-C9336C-FX2-02 (a0:b4:00:00:00:00)"  Ethernet1/1/2 localhost lldp     e0e  "N5K-C5672UP-01 (00:2a:6a:00:00:00)"     Eth1/13 localhost lldp     e0f  "N5K-C5672UP-02 (8c:60:4f:00:00:00)"     Eth1/12 localhost lldp     e0g  "N5K-C5672UP-02 (8c:60:4f:00:00:00)"     Eth1/14 localhost lldp     e0h  "N5K-C5672UP-01 (00:2a:6a:00:00:00)"     Eth1/14 localhost lldp     e1a  "N9K-C9336C-FX2-02 (a0:b4:00:00:00:00)"  Ethernet1/2/2 localhost lldp     e1b  "N9K-C9336C-FX2-01 (7c:ad:00:00:00:00)"  Ethernet1/2/2   ::> ::> system node run -node localhost -command options cdpd cdpd.enable                  on         (value might be overwritten in takeover) cdpd.holdtime                180        (value might be overwritten in takeover) cdpd.interval                60         (value might be overwritten in takeover)   ::> system node run -node localhost -command options lldp lldp.enable                  on         (value might be overwritten in takeover) lldp.xmit.hold               4          (value might be overwritten in takeover) lldp.xmit.interval           30         (value might be overwritten in takeover)   ::> ::> system node run -node localhost -command cdpd show-stats RECEIVE  Packets:             0  | Csum Errors:         0  | Unsupported Vers:    0  Invalid length:      0  | Malformed:           0  | Mem alloc fails:     0  Missing TLVs:        0  | Cache overflow:      0  | Received Own Adv:    0  Other errors:        0  | Unknown TLV:         0  | Ejected entries:     0  Eject failed:        0  | Bad Value:           0  | Hidden Port Drop:    0   TRANSMIT  Packets:             0  | Xmit fails:          0  | No hostname:         0  Packet truncated:    0  | Truncate fails:      0  | Mem alloc fails:     0  Other errors:        0   OTHER  Init failures:       0   ::> system node run -node localhost -command lldp stats RECEIVE  Total frames:     6115  | Accepted frames:  6115  | Total drops:         0 TRANSMIT  Total frames:     3331  | Total failures:      0 OTHER  Stored entries:       9   ::>   ----- N9K-C9336C-FX2-01# sh cdp interface Eth1/1/1 Ethernet1/1/1 is up     CDP enabled globally     CDP enabled on interface     Refresh time is 5 seconds     Hold time is 180 seconds N9K-C9336C-FX2-01# sh cdp neighbors interface Eth1/1/1 Note: CDP Neighbor entry not found   N9K-C9336C-FX2-01# N9K-C9336C-FX2-01# sh lldp neigh  interface Eth1/1/1 Capability codes:   (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device   (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other Device ID            Local Intf      Hold-time  Capability  Port ID 00a0.0000.0000       Eth1/1/1        121        S           e0a Total entries displayed: 1 N9K-C9336C-FX2-01# ---- ... View more

I am having problems restricting kerberized NFS to use only AES encryption. We had kerberized NFS running until the other encryptions were blocked at the KDC. Context: FAS2720 Filer Ontap 9.8P18 KDC is Microsoft AD (I only have permissions im my OU)   I used Microsoft ktpass to create a keytab for my nfs SPN account and used that as -keytab-uri parameter for kerberos interface enable (using admin-username and admin-password failed).   Now I cannot mount volumes that are restricted to kerberos and when I try the event log tells me [ 0] FAILURE: Failed to accept the context: Unspecified GSS failure. Minor code may provide more information (minor: Key table entry not found).   Packet capture shows a NFS V3 NULL call using an apparently correct kerberos ticket, with a reply that has a GSS major/minor status  851968/2529639093, that is consistent with that error. (Client principal is the client host in that exchange). However I cannot understand why the key table entry cannot be found.   I have checked that  the nfs SPN matches in the keytab, the keyblock shown by the ontap CLI, the AD machine entry and the captured packets (also checked the letter case) the kvno also matches here the encryption type (18) and the key match in the keytab and the keyblock, and the key can decrypt the encrypted parts of the packets in wireshark   I also checked that aes-256 and aes-128 are permitted-enc-types in vserver nfs show, and that these encryption types are enabled in the AD for both the NFS Server account and the client host account that users can obtain service tickets for the nfs server using kvno   Any Ideas?   ... View more