ONTAP Discussions

Lost Communication to Primary Filers

Harisheldon
8,876 Views

Greetings All,

 

Have a serious problem, and I will try to first give the facts:

 

FAS6240

Version 8.2.3 7-Mode

 

We lost communication with both primary filers yesterday.  It looks as if there is a authentication problem.  I am unable to log on with my elevated account, but I can log on with a local account.  If a customer reboots, they will lose connection.

 

Strange, I can access the DR filers with no issues...

 

I have rebooted the filers this morning, still unable to access the filers with elevated account via SecureCRT and NetApp OnCommand.

 

All protocols, CIFS, NFS, iSCSI, and FC/FCoE are enabled.

 

NOTE: In the CIFS windows, I have clicked on the Options TAB and went to Access Security.  The Enable SMB is NOT checked.

 

I am now receiving a email from the primary filers stating Configuration Error with the following link

https://kb.netapp.com/support/s/article/system-configuration-warning-reported-by-the-storage-system

 

We do not have NetApp support at this time due to a lapse in the contract.  We will finally get support in the next two weeks when they upgrade our systems.

 

So, does anyone have an idea what is wrong and how I can fix this?

14 REPLIES 14

JGPSHNTAP
8,794 Views

The first question I would have is are you having client access issues?

 

And when you say you can't connect to filer, are you SSH'ing into filer with your domain account?  

Harisheldon
8,783 Views

First, thanks for the quick reply.

 

To answer your questions, the only problem that the clients are having is that they cannot connect to the filers to get their data.

 

As to SSH'ing, I can do that with a local account, but not the AD account

 

James

JGPSHNTAP
8,771 Views

Ok, make sure your Date on the filer is within 5 minutes of the domain

 

Then check 

 

cifs domaininfo see if you have connected DC's.

 

 

Harisheldon
8,769 Views

Good infor.

 

Typed it in and it is showing me that the PDCBROKEN for all three DNS's

 

First decent information so far.  Now, how to fix

JGPSHNTAP
8,755 Views

if your time is within 5 minutes you need to type

 

cifs resetdc

 

if that doesn't work, you need to check the AD account to see if the machine account is messed up.

 

 

and your max skew should be set at 2m

Harisheldon
8,754 Views

IN AD, the filer names are present and accessible.

 

As to the max skew, how do I check that and also fix it?

JGPSHNTAP
8,747 Views

options timed.max_skew

 

Did you do the resetdc

Harisheldon
8,724 Views

Sorry for the delay, director was here.

 

As to the skew, it is at 30s

 

For the reset of the dc's, unless you have them available, I am googling it now

himal123
8,693 Views

Did you apply the patch  ?  latest SMB1 disable patch on windows 2008 or higher server

There is a option you have to enable,  its explicit options,  we had the same issue

 

options cifs.smb2.client.enable on

 

and do cifs dctest or resetdc

 

first wait few min and check if it picks up automatically

 

JGPSHNTAP
7,742 Views

You can try to drop from the domain and re-add, but that's your issue

Harisheldon
7,740 Views

Already tried that, was hoping that you had another way to try.

 

It is beginning to look like our higher headquarters did something to the DCs which caused this.  Just waiting on the word now.

 

Appreicate the support.  Thanks.

JGPSHNTAP
7,739 Views

Most likely, without dc's you are dead in the water.

Harisheldon
7,704 Views

Found the resolution.  When they upgraded the DCs to SMB2, SMB2 was enable on the filers, but, the line cifs.smb2.client.enable was missing.  So, I typed in options cifs.smb2.client.enable on, and within ten minutes, we were up and running.

 

Thanks for the support.

JGPSHNTAP
7,701 Views

Makes sense.. they probably shut off smb 1 for wannacry outbreak

Public