Solved: Reason: Node "XXX" failed to allocate encryption resources. Please retry later or reboot...

sc-jre · ‎2020-08-17

We are using NetApp 9.4 and would like to enable encryption at rest. After running the following command successfully:

security key-manager setup

We are presented with the following error when trying to either create a new or convert an existing volume with encryption enabled.

Reason: Node "XXX" failed to allocate encryption resources. Please retry later or reboot the node

The documentation does not mention that a reboot may be required. Is there something we have missed or is there another problem. Previous posts on the forum suggest that rebooting the nodes will work. I am also not sure what the impact would be of rebooting one of our 2 nodes. Will the client have to reconnect ?

Any guidance on this issue is much appreciated.

PS: The support site seems to be down so I wasn't able to raise a support case for this.

sc-jre · ‎2020-08-20

After waiting for several hours the command completed successfully. We are still not quite sure what the root cause was or what changed to allow the command to complete successfully. In any case for now this has been resolved by waiting for 6 hours. We did try to run the command 1 and 2 hours afterwards the initial setup, but it still failed with the same error.

View solution in original post

TMACMD · ‎2020-08-17

The answer is right there....reboot the node.

sc-jre · ‎2020-08-17

Before just going to reboot the node I want to understand the impact. Will I need to shut down any clients before rebooting the nodes? Should I reboot one node at a time ?

TMACMD · ‎2020-08-18

You do this:

Make sure that auto-giveback is enabled
storage failover modify -auto-giveback true -node *

Then perform Takeover/giveback both ways

storage failover takeover -ofnode <node1>

Node 1 will reboot and auto-giveback.

Wait for <node1> to be online for at least 8 minutes. Then go the other way

storage failover takeover -ofnode <node2>

Node 2 will reboot and auto-giveback.

If set up properly, any SAN connection will survive and so will NFS v3 and any CIFS SMB v3.0 continuously-available shares

When using stateful protocols like NFSv4 and any other CIFS, it usually just works and the connection just needs to re-establish.

paul_stejskal · ‎2020-08-18

What problem are you having with the Support site? If you need to raise a case, you can always call in. 1-888-4NETAPP is the USA number you can call.

manistorage · ‎2020-08-19

Hi,

Reboot is not required to setup, external encryption server. looking at the message we need to check if the controllers can talk to the external key server.

Run - cfiler01::*> security key-manager external show-status -- validate the communication to the key manger server.

can you also look for the error in EMS log.

Regards,

Mani

TMACMD · ‎2020-08-19

There are cases, especially in earlier releases like 9.4 where a reboot is sometimes required. I have personally hit this myself and rebooting each node absolutely fixed it and enabled encryption.

this does not seem to be much of an issue with 9.5 and higher

sc-jre · ‎2020-08-20

After waiting for several hours the command completed successfully. We are still not quite sure what the root cause was or what changed to allow the command to complete successfully. In any case for now this has been resolved by waiting for 6 hours. We did try to run the command 1 and 2 hours afterwards the initial setup, but it still failed with the same error.