Friday, September 24, 2010

Using CHAP with Equallogic SAN

ISCSI connection hit limit. Only 15 connections allowed to one Equallogic Lun (Volume). I am not talking about total number of ISCSI connections to the whole SAN, but to one LUN.

This can happen in a cluster of VMWARE VSphere servers. Having 7 servers each having two connections (dual ISCSI HBAs) to a Volume on Equallogic is 14. Now if you add the 8th that would be 16. Equallogic limits the connection access by IP to 15. This cannot be fixed through firmware upgrade.

What can you do? Use CHAP.

To set up CHAP in Equallogic is simple:

1. In the Group Page of the Management select ISCSI Connection.
2. Here you will see at lower left where to add the ISCSI user.
3. You need to add a Username and a password (The password has to be at least 12 Characters).

4. In the Volume Access itself, you can select Chap authentication, and all you do is just to add the user.

5. In the Source (The machine you are going to connect from), set up ISCSI with CHAP authentication to the target. You will need the username and password you set up on the Equallogic box.

The only perceptible gotcha that I saw using this method was that now on any ISCSI source that has access to that subnet, will see all available LUNS (Volumes) being published. The way around it is to add a second restriction. We opted for IP Range. Adding an IP Range as 192.168.10.* will act as a filter. The only Sources that will see this are ones with a NIC in that range. The other option is to add the iqn identifier, we did not try that. But remember-just because you can see it does not mean you can connect to it because you now have Chap controlling the access.



Anonymous said...

Wow this is a great resource.. I’m enjoying it.. good article

Anonymous said...

Keep posting stuff like this i really like it