Dell iDRAC 6 Remote Console Connection Failed
I recently had the honor to fix a real annoying issue with the iDRAC on rather old DELL hardware, R710 servers that are stilling puling their weight. They have been upgraded to the latest firmware naturally and DELL allows access to those updates to anyone without the need for a support contract (happy users/customers).You can perfectly configure Java site exceptions and use Firefox or Chrome to connect to it (IE is different story, you can connect but the view is messed up). Anyway the browser isn’t the big issue. The problem was that Dell iDRAC 6 remote console connection failed consistently at the very last moment with “Connection Failed”
Note: are you nuts?
Yes I like 25/50/100Gbps RDMA, S2D, All Flash etc. I do live the vanguard live on the bleeding edge, but part of that is funding solutions that fit the environment. In this case. They have multiple spare servers and extra disks on top the ones they use in the lab or even in production. So even when a server or a component fails they can use that to fix it. They have the hands on and savvy staff members to do that. No problem. This is not an organization driven by fear of risk and responsibility but by results and effective TCO/ROI. They know very well what they can handle and what not. On top of that they know very well what part of IT sectors sales and marketing promises/predictions are FUD and which are reality. This means they can make decisions based on optimizing for their needs delivering real results.
Leveraging old hardware does mean that sometimes you’ll run into silly issues but annoying issues like older DRAC cards with modern client operating systems, browsers and recent Java versions.
Most tricks are to be found on line to get those to work together but sometimes even those fails. First of all make sure all network requirements are in order (ports, firewall etc) and on top of that:
- Upgraded the DRAC Firmware to the latest v2.85
- Add DRAC IP into the Java Exception List.
- Change Java Network Setting from Browser to Direct Connect
- Hack the Java config files
- Disable Encrypted Video on the DRAC
- Reset the DRAC
- On top of this you can run and older version of the browser and Java but at a certain point this becomes a silly option. You see at a given moment the entire stack as moved ahead and one trick like running an old version of Java won’t do it anymore and keeping a VM around that’s at a 10 year old tech/version level is a pain.
The missing piece for me: generate & upload SHA256 certs
So let me share you what extra step got the remote console of the DELL R710 iDRAC to work with the most recent version of Java, Windows 10 and the latest of the greatest Firefox browser at the time of writing.
The trick that finally did it is to generate a CSR on the DRAC while you are connected to it. You see, many people never upload their own certs and if they did, it might have been many years ago. Those old SHA1 certs are frowned upon by modern browsers and Java.
Open the CSR file, copy the content and submit it to a PKI you have or a free one on line like at getacert.com. Just fill out some random info in the request and you’ll get a SHA256 cert for download immediately that “valid” a couple of months. Enough for testing or getting out of a pickle. Your own corporate CA will do better for long term needs.
On top of that you’ll need to reset the DRAC card and give it a few minutes.
Reconnect to the DRAC and after that, without failure, we could connect to the on all R710 servers where before we kept getting the dreaded “Connection Failed” error otherwise.
That’s it! Good luck.
I took the “keep an old VM around” approach for our iDRAC6 and iDRAC5 systems. (Yes, iDRAC5!) It has IE8 on it. So, I can do what I need without worrying about Java.
Yeah, I just got tired of keeping them around so for now I’m trying to fix things so they work, with darn good success so far 🙂
Your suggestion didn’t work for me. It was confusing because i didn’t have an issue with other servers of the same kind. i was able to workaround this using IE8 and java7.
I had some where I didn’t even need this, but it did fix it for me on those that seed lost (about 6 servers out of 10). It was worth a try at least.
MY GOD, THANK YOU….thank you, thank you.
I’m happy it helped somebody out. Thx for reading.
hi what do i do with the cert after? its not in your instructions.
Import it to the DRAC module for use via “upload server certificate”
This worked for me. Thanks!
Happy to hear that!
Thank you, this worked like a charm!
did this and uploaded to the drac and instantly lost connection to it.
Now can’t even log back in to it at all.
Means a trip to the data centre to reset everything.
That can always happen. But the reset might have have happend so give it 10 minutes and try again before traveling to the datacenter.
Sadly this did not work for me and I’ve gone through the other steps. Was fine until I “upgraded” to 8 171 java. I’m glad servers are starting to move to html5 but I wish there could be some retroactive updates to iDracs through firmware but not sure it it’s possible. Our Lenovo x3850 x6 were java and a firmware update switched them to html 5 so it might be. Things like this really turn me off Java.
I agree. The pace of abandonment of iDRAC has been disappointing. I keep a Server 2008 VM around that has IE 8 on it so I can connect to my iDRAC5 and iDRAC6 systems using IE.
I ended up having to find and install JRE 7.0.6 into a Windows 7 VM, and to my surprise it actually works. Kind of annoying having to go this route, though.
I think there are some steps missing.
When I try to upload the new server certificate (first step that’s missing), iDrac throws an error “Upload failed, can’t validate”.
I did import the getacert certificate to the Windows certificate store (both “This Uses” and “Local Computer”, but that didn’t help.
Well shucks…this fix didn’t work for me for DRAC 6 (and I was sure it would, too :/ ) That said, it did work to log into an updated version of Cisco’s Call Manager so THANK YOU so much for sharing this!
Happy to hear it work for something!
I’ve found RC4 to be the issue with iDRAC 6. Updated Java versions disable it so you have to enable it by removing it from the jdk.tls.disabledAlgorithms section in the java.security file. This worked for me on a R610 with iDRAC 2.91 and Java 8 U181.
just ran into this – and re-enabling RC4 did the trick for me! And that’s the only thing I changed beyond adding the host URL to the java exception list (due to self-signed certs). Am running java (build 1.8.0_181-b13) on Windows 2012 R2.
THANK YOU! Have been banging my head against a brick wall until your comment.
Using JRE1.8.0_181 I only had to remove RC4 algorithm in the file java.security at the line begining with jdk.tls.disabledAlgorithms
Yeah, most of the times it used to. This was one way to get it to work R710 at that moment as that trick wasn’t enough, Now I have no gen11 left, no where, with Gen12 all OK so far. DRAC kept up to date, that’s all.
Unfortunately, this didn’t work for me :-(.
Thanks for the tutorial though.
Worked for me (with the disable RC4 comment). Windows 10 1903, Firefox 69. Thanks so much!