VSCAN routing question

jbielasz · ‎2017-08-23

Hi,

Can somebody explain how the vscan routing works ? How the Lif Used for connection is chosen ?

For some reason the 10.160.128.142 AV server is using wrong public lif to connect to the second SVM.

vscan connection-status show-connected -instance

Node: XXX-np01-02
Vserver: XXX-sp170001
Server: 10.160.128.142
Vscan Server Vendor: mcafee virusscan enterprise for storage
Vscan Server Version: 0.0
Privileged User Used for Connection: EUNET\XXX
Time When Vscan Server Was Connected: 8/23/2017 09:31:28
Server Type: primary
Vserver LIF Used for Connection: 10.160.128.144 (vscan lif)

Node: XXX-np01-02
Vserver: XXX-sp170002
Server: 10.160.128.142
Vscan Server Vendor: mcafee virusscan enterprise for storage
Vscan Server Version: 0.0
Privileged User Used for Connection: EUNET\XXX
Time When Vscan Server Was Connected: 8/23/2017 09:31:53
Server Type: primary
Vserver LIF Used for Connection: 10.160.128.11 (public lif)

route show
Vserver Destination Gateway Metric
------------------- --------------- --------------- ------
XXX-np01
0.0.0.0/0 10.160.129.1 26
0.0.0.0/0 10.160.129.129 20
XXX-sp170001
0.0.0.0/0 10.160.128.1 20
0.0.0.0/0 10.160.128.129 25
XXX-sp170002
0.0.0.0/0 10.160.128.1 20
0.0.0.0/0 10.160.128.129 25

Thanks & Regards,

Jakub

J_curl · ‎2017-08-24

It will grab a data LIF that is CIFS enabled, that can reach the vscan server. best practice is to create a seperate network from the data access network, just to be used for vscan.

jbielasz · ‎2017-08-25

Thanks for the reply.

CIFS is enabled on all vscan interfaces.

The problem is that it switching on random basis to public lif (e.g. when I do vscan disable/enable).

Hence, I would like to understand the mechanism. It seems that it is not using Metric, because with current setting it would always pick public lifs.

J_curl · ‎2017-09-06

it wont hit the route table at all, as LIF is in same network. no need for gateway

do you have netmask incorrect? looks like should be /25

post this if you can, curious now.

net int show -address 10.160.128.11|10.160.128.144 -instance

jbielasz · ‎2017-09-07

Hi J_curl,

The masks are Ok. Also, both IP ranges are in different VLANs.

XXXXXX-np01::> net int show -address 10.160.128.11|10.160.128.144 -instance
  (network interface show)

                    Vserver Name: XXXXXX-sp170001
          Logical Interface Name: vscan_sp170001
                            Role: data
                   Data Protocol: cifs
                       Home Node: XXXXXX-np01-02
                       Home Port: a0a-403
                    Current Node: XXXXXX-np01-02
                    Current Port: a0a-403
              Operational Status: up
                 Extended Status: -
                         Is Home: true
                 Network Address: 10.160.128.144
                         Netmask: 255.255.255.128
             Bits in the Netmask: 25
                     Subnet Name: vscan_403
           Administrative Status: up
                 Failover Policy: broadcast-domain-wide
                 Firewall Policy: mgmt
                     Auto Revert: false
   Fully Qualified DNS Zone Name: none
         DNS Query Listen Enable: false
             Failover Group Name: vscan_403
                        FCP WWPN: -
                  Address family: ipv4
                         Comment: -
                  IPspace of LIF: Default
  Is Dynamic DNS Update Enabled?: true

                    Vserver Name: XXXXXX-sp170002
          Logical Interface Name: public_sp170002
                            Role: data
                   Data Protocol: nfs, cifs
                       Home Node: XXXXXX-np01-02
                       Home Port: a0a-402
                    Current Node: XXXXXX-np01-02
                    Current Port: a0a-402
              Operational Status: up
                 Extended Status: -
                         Is Home: true
                 Network Address: 10.160.128.11
                         Netmask: 255.255.255.128
             Bits in the Netmask: 25
                     Subnet Name: public_402
           Administrative Status: up
                 Failover Policy: system-defined
                 Firewall Policy: data1
                     Auto Revert: false
   Fully Qualified DNS Zone Name: none
         DNS Query Listen Enable: false
             Failover Group Name: public_402
                        FCP WWPN: -
                  Address family: ipv4
                         Comment: -
                  IPspace of LIF: Default
  Is Dynamic DNS Update Enabled?: false
2 entries were displayed.

J_curl · ‎2017-09-07

very interesting. Is the subnet mask correct on the vscan server?

J_curl · ‎2017-09-07

does the vscan server have a default route specified for the it's 10.160.128.142 interface? Is that interface in the same vlan?

remove the default routes for vscan network on the NetApp, and also remove the gateway for the .142 interface on the server

jbielasz · ‎2017-09-08

The server is in the same vlan as NAS. They can see each other as sometimes it switches to the proper lif and everything works fine.

It has only 1 interface wih the following routing configured. I'm affraid I won't be able to log in to the server anymore, if I remove the default gateway.

Regards,

Jakub

C:\Users\adm_b>route print
===========================================================================
Interface List
 13...00 50 56 a5 6f ba ......vmxnet3 Ethernet Adapter
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   10.160.128.129   10.160.128.141    261
   10.160.128.128  255.255.255.128         On-link    10.160.128.141    261
   10.160.128.141  255.255.255.255         On-link    10.160.128.141    261
   10.160.128.255  255.255.255.255         On-link    10.160.128.141    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    10.160.128.141    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    10.160.128.141    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0   10.160.128.129  Default

jbielasz · ‎2017-09-08

Routing of the second server:

C:\Users\adm_b>route print
===========================================================================
Interface List
 14...00 50 56 a5 a8 f9 ......vmxnet3 Ethernet Adapter
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   10.160.128.129   10.160.128.142    261
   10.160.128.128  255.255.255.128         On-link    10.160.128.142    261
   10.160.128.142  255.255.255.255         On-link    10.160.128.142    261
   10.160.128.255  255.255.255.255         On-link    10.160.128.142    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    10.160.128.142    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    10.160.128.142    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0   10.160.128.129  Default

J_curl · ‎2017-09-12

vscan servers only have the single IP, so no need to change anything there. Those should be fine as they are

I would be curious to see if it works if you delete the route to .129 for the vserver, as well as remove the gateway from the vscan_403 subnet. i think one of those is causing this. Just a theory though.

you may have to toggle vscan off/on after the change

VSCAN routing question

I2A Registration is Open!

Introducing GenAI Search on NSS