Solved: multiple ip cifs connection

tuncay · ‎2018-03-22

Hi,

Customer has multiple ip adress and vlan in their svm just one of them can reach ad server and dns. Client using other lifs to connect cifs shares but sometimes cifs connections droping.

My quesiton is, the other lifs which can not reach ad and dns is causing this problem or not ? When I check logs it says this ip adress (other lifs) can not reach this dns and adress secd.conn.auth.failure.

Thanks,

Tuncay

GidonMarcus · ‎2018-03-22

hi

Your current AD and DNS connectivity:

the current routing causes all the outgoing traffic from the NAS SVM on node "ntap_cluster_krt-01" to go via interface "svm_krt_nas_ad".and can go via "svm_krt_nas_154"

all the other nodes cannot access the AD and DNS at the moment

i suspect that node "Ntap9000-KRT-01" managed to initiate an AD connectivity when LIF "svm_krt_dmz_lif3" was at home and up. currently it's on a port and node that not allowing it to be up. maybe that's how you started to notice that something is funny and if you would revert it to home it will all start to "work" again. you can use the interface revert command if you like to try and fix it. but i can't take responsibility on this. - do at your own risk.

for the actual config:

in a nutshell - you would need to rebuild everything around the network config (mainly to add stuff. but may gain something from removing some as well).

the reason is that your current routing very depanded on fastpath, a feature that is discontinued. https://whyistheinternetbroken.wordpress.com/2018/02/16/ipfastpath-ontap92/

iv'e started to look on each of your current use cases and routes - but they are just wrong, a workaround on top of a workaround.... with effectively only one currently valid (and another one if you sort #2 above) .

So let me put some end-goals when you re-design it:

all nodes hosting LIFS that use to access CIFS or other protocols that need NTP/DNS would need to have connectivity to AD - e.g add more dedicated LIFS for AD. or just start using the NAS LIFS for it - to keep it scalable..

the AD sites and subnet needs to be amended to include the filer subnet. or a preferred DC need to be set via "vserver cifs domain preferred-dc" command.

the routing need rebuild in a way that allow communication back without a dependency on fast-path. the way i see it you would likely going to end up with:

A static route or multiple ones for the 192.168.0.0/16.range

if adding new AD LIFS. so add static routes for the DNS and AD on 10.200.120.0/24 + 10.210.154.0/24 (with setting these as pref DC)

A default route for the NAS LIFs to 10.210.224.1

i don't have real visibility of the network, and some engagement with the network admins in the organization will be required. - you would need to fully understand the client connectivity with them. and make sure you route everything optimally.

All LIFs failover group need to be set correctly via a group or broadcast domains. so you don't end up with LIF migrated to a port it can't live in.

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

GidonMarcus · ‎2018-03-22

it could be both. AD and DNS having issues....

let's see what the routing look like. and then we can go furter and see you have the correct firewall rules open for the correct interface by KB:

https://kb.netapp.com/app/answers/answer_view/a_id/1030571/loc/en_US

can you print the following please?

dns show -fields name-servers -vserver <SVM name>

cifs domain discovered-servers show -vserver <SVM name> # can remove everything that is not the address. and preference

network interface show -vserver <SVM name>

network route show -vserver <SVM name>

network connections active show -Print-ip-addresses -vserver <SVM name>

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

tuncay · ‎2018-03-22

Hi GidonMarcus,

I attached the output, you can check.

Thanks,

Tuncay

GidonMarcus · ‎2018-03-22

hi

Your current AD and DNS connectivity:

the current routing causes all the outgoing traffic from the NAS SVM on node "ntap_cluster_krt-01" to go via interface "svm_krt_nas_ad".and can go via "svm_krt_nas_154"

all the other nodes cannot access the AD and DNS at the moment

i suspect that node "Ntap9000-KRT-01" managed to initiate an AD connectivity when LIF "svm_krt_dmz_lif3" was at home and up. currently it's on a port and node that not allowing it to be up. maybe that's how you started to notice that something is funny and if you would revert it to home it will all start to "work" again. you can use the interface revert command if you like to try and fix it. but i can't take responsibility on this. - do at your own risk.

for the actual config:

in a nutshell - you would need to rebuild everything around the network config (mainly to add stuff. but may gain something from removing some as well).

the reason is that your current routing very depanded on fastpath, a feature that is discontinued. https://whyistheinternetbroken.wordpress.com/2018/02/16/ipfastpath-ontap92/

iv'e started to look on each of your current use cases and routes - but they are just wrong, a workaround on top of a workaround.... with effectively only one currently valid (and another one if you sort #2 above) .

So let me put some end-goals when you re-design it:

all nodes hosting LIFS that use to access CIFS or other protocols that need NTP/DNS would need to have connectivity to AD - e.g add more dedicated LIFS for AD. or just start using the NAS LIFS for it - to keep it scalable..

the AD sites and subnet needs to be amended to include the filer subnet. or a preferred DC need to be set via "vserver cifs domain preferred-dc" command.

the routing need rebuild in a way that allow communication back without a dependency on fast-path. the way i see it you would likely going to end up with:

A static route or multiple ones for the 192.168.0.0/16.range

if adding new AD LIFS. so add static routes for the DNS and AD on 10.200.120.0/24 + 10.210.154.0/24 (with setting these as pref DC)

A default route for the NAS LIFs to 10.210.224.1

i don't have real visibility of the network, and some engagement with the network admins in the organization will be required. - you would need to fully understand the client connectivity with them. and make sure you route everything optimally.

All LIFs failover group need to be set correctly via a group or broadcast domains. so you don't end up with LIF migrated to a port it can't live in.

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

tuncay · ‎2018-03-22

Thanksso much for your reply,

I will modify the routes asap.

I have just one question

Question is you said "

all nodes hosting LIFS that use to access CIFS or other protocols that need NTP/DNS would need to have connectivity to AD - e.g add more dedicated LIFS for AD. or just start using the NAS LIFS for it - to keep it scalable.."

if client lif can not connect ad or dns, is it trying just home node other lifs to connect ad or dns?

Thanks,

Tuncay

GidonMarcus · ‎2018-03-23

Hi.

each node is independent in the AD connection. if it can't reach AD locally (via the available LIFs and routing) it will deny the client request.

the SVM will not attempt to authenticate or serve the client via another node.

however - if you have some load balancing across the LIFs (like DNS round robin. DNS load balancing. or actual load balancer) the client may try to reconnect i assume and may hit different node.

Gidi.

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

tuncay · ‎2018-03-25

Hi Gidi,

Thanks for your detailed investigation, I opened a case from Netapp about this issue but you solved before they ask any question.

Like you said after we create ad lif for all nodes, problem solved.

Now we are going to fixed our routing problem.

Thanks again.

Tuncay