Initiator tried to bypass the security phase but we cannot.

Jump to solution

Level Date Time Member Message ------ ------ ---------- ------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ERROR 2/1/12 2:39:10 PM member1 iSCSI login to target '10.195.1.76:3260, iqn.2001-05.com.equallogic:0-8a0906-8b5a41509-50e0000000a4d354-vss-control' from initiator '10.195.1.86:53110, iqn.1998-01.com.vmware:srb001074-311ddf52' failed for the following reason: Initiator tried to bypass the security phase but we cannot.

0 Kudos
1 Solution

Accepted Solutions

Re: Initiator tried to bypass the security phase but we cannot.

Jump to solution

This is a very common issue.  The vss-control volume is used by Microsoft.  When the array was set up a CHAP user ACL was assigned to it.  

Vmware iSCSI logic believes that any discoverable volume can also be logged into.   However, since ESX isn't configured with that CHAP username password the iSCSI login fails.  It's trying to bypass the CHAP username / password, hence the "Security phase" error message.  

In the EQL GUI, there's a checkbox under iSCSI tab, called "Discovery Filter"    The will prevent CHAP volumes from being discoverable in the future.

Bad news is after setting that checkbox, you'll have to reboot your ESX servers to prevent them from continuing to try to log into that volume.   You can try going to Configuration->Storage Adapters->SW iSCSI adapter->Properties->Static Discovery and remove the vss-control volume from the list of discovered targets.   That might work.  A reboot after setting the filter definitely will.

Regards,

Social Media and Community Professional
#IWork4Dell
Get Support on Twitter - @dellcarespro

4 Replies

Re: Initiator tried to bypass the security phase but we cannot.

Jump to solution

This is a very common issue.  The vss-control volume is used by Microsoft.  When the array was set up a CHAP user ACL was assigned to it.  

Vmware iSCSI logic believes that any discoverable volume can also be logged into.   However, since ESX isn't configured with that CHAP username password the iSCSI login fails.  It's trying to bypass the CHAP username / password, hence the "Security phase" error message.  

In the EQL GUI, there's a checkbox under iSCSI tab, called "Discovery Filter"    The will prevent CHAP volumes from being discoverable in the future.

Bad news is after setting that checkbox, you'll have to reboot your ESX servers to prevent them from continuing to try to log into that volume.   You can try going to Configuration->Storage Adapters->SW iSCSI adapter->Properties->Static Discovery and remove the vss-control volume from the list of discovered targets.   That might work.  A reboot after setting the filter definitely will.

Regards,

Social Media and Community Professional
#IWork4Dell
Get Support on Twitter - @dellcarespro

Mattrst
1 Copper

Re: Initiator tried to bypass the security phase but we cannot.

Jump to solution

Good advice dwilliam

Re: Initiator tried to bypass the security phase but we cannot.

Jump to solution

Thank you, dwilliam, Our VM are already running. We just disabled the CHAP user in VDS/VSS Control list in the Group Configuration. All are fine, VM host now can handshake with the EqualLogic. But is it ok VDS/VSS management access to the group to be unrestricted?

0 Kudos

Re: Initiator tried to bypass the security phase but we cannot.

Jump to solution

It's better if only Windows servers have access to that control volume.  it's an odd size and not writable, which some OS have issue with.  I.e. if you tried to format it you would get an error.   In older versions of ESX it caused trouble.

Before you next reboot your ESX servers, say as part of a patch install,  remove any ACLs on the VSS/VDS volume and only allow access to windows servers as needed.

Social Media and Community Professional
#IWork4Dell
Get Support on Twitter - @dellcarespro

0 Kudos