Dell iDRAC 6 Remote Console Connection Failed

Dell iDRAC 6 Remote Console Connection Failed

I recently had the honor to fix a real annoying issue with the iDRAC on rather old DELL hardware, R710 servers that are stilling puling their weight. They have been upgraded to the latest firmware naturally and DELL allows access to those updates to anyone without the need for a support contract (happy users/customers).You can perfectly configure Java site exceptions and use Firefox or Chrome to connect to it (IE is different story, you can connect but the view is messed up). Anyway the browser isn’t the big issue. The  problem was that Dell iDRAC 6 remote console connection failed consistently at the very last moment with “Connection Failed”

image

image

Note: are you nuts?

Yes I like 25/50/100Gbps RDMA, S2D, All Flash etc. I do live the vanguard live on the bleeding edge, but part of that is funding solutions that fit the environment. In this case. They have multiple spare servers and extra disks on top the ones they use in the lab or even in production. So even when a server or a component fails they can use that to fix it. They have the hands on and savvy staff members to do that. No problem. This is not an organization driven by fear of risk and responsibility but by results and effective TCO/ROI. They know very well what they can handle and what not. On top of that they know very well what part of IT sectors sales and marketing promises/predictions are FUD and which are reality. This means they can make decisions based on optimizing for their needs delivering real results.

Leveraging old hardware does mean that sometimes you’ll  run into silly issues but annoying issues like older DRAC cards with modern client operating systems, browsers and recent Java versions.

Most tricks are to be found on line to get those to work together but sometimes even those fails. First of all make sure all network requirements are in order (ports, firewall etc) and on top of that:

  • Upgraded the DRAC Firmware to the latest v2.85
  • Add DRAC IP into the Java Exception List.
  • Change Java Network Setting from Browser to Direct Connect
  • Hack the Java config files
  • Disable Encrypted Video on the DRAC
  • Reset the DRAC
  • On top of this you can run and older version of the browser and Java but at a certain point this becomes a silly option. You see at a given moment the entire stack as moved ahead and one trick like running an old version of Java won’t do it anymore and keeping a VM around that’s at a 10 year old tech/version level is a pain.

The missing piece for me: generate & upload SHA256 certs

So let me share you what extra step got the remote console of the DELL R710 iDRAC to work with the most recent version of Java, Windows 10 and the latest of the greatest Firefox browser at the time of writing.

The trick that finally did it is to generate a CSR on the DRAC while you are connected to it. You see, many people never upload their own certs and if they did, it might have been many years ago. Those old SHA1 certs are frowned upon by modern browsers and Java.

image

image

Open the CSR file, copy the content and submit it to a PKI you have or a free one on line like at getacert.com. Just fill out some random info in the request and you’ll get a SHA256 cert for download immediately that “valid” a couple of months. Enough for testing or getting out of a pickle. Your own corporate CA will do better for long term needs.

image

On top of that you’ll need to reset the DRAC card and give it a few minutes.

image

Reconnect to the DRAC and after that, without failure, we could connect to the on all R710 servers where before we kept getting the dreaded “Connection Failed” error otherwise.

That’s it! Good luck.

Hyper-V integration components 6.3.9600.18692

After the July 2017 round of patching we got a new version of the Hyper-V integration components on Windows Server 2012 R2. Yes, something that you no longer need to deal with manually since Windows Server 2016. But hey, my guess is that many of you are still taking care of Windows Server 2012 R2 Hyper-V deployments. I’m still taking care of a couple of Windows Server 2012 R2 Clusters, so don’t be shy now.

The newest version (at the time of writing) is 6.3.9600.18692 and 1st appeared in the June 27, 2017—KB4022720 (Preview of Monthly Rollup) update. It has since  been release in the July 11, 2017—KB4025336 (Monthly Rollup) update. You can follow up on the versions of the IC via this link Hyper-V Integration Services: List of Build Numbers

image

That means that you’ll need to upgrade the integration components for the VMs running on your Hyper-V (cluster) nodes after patching those.

image

And yes despite some issues we have seen with QA on updates in the past we still keep our environment very well up to date as when doing balanced risk management the benefits of a modern, well patched environment are very much there. Both for fixing bugs and mitigating security risks. Remember WannaCry ?

So my automation script has run against my Windows Server 2012 R2  Clusters. have you taken care of yours? I did adapt it to deal with the ever growing number of Windows Server 2016 VMs we see running, yes even on Windows Server 2012 R2 Hyper-V hosts.

image

Manage Your Brocade Fibre Channel Switch with recent Java & browser versions

Introduction

I was in the process of setting up a new jump server a management station server virtual machine on Windows Server 2016 Hyper-V. The guest was also Windows Server 2016 (desktop install). That station needed to be used to manage some aging Brocade fibre channel switches. With the default setting and links this will give you some headaches and some solution require you to keep older and insecure browser or java versions installed. We’ll show you how to get GUI access to your FC switches without needing to do that so you can manage your Brocade Fibre channel switch with recent Java & browser versions. Well not all of them, but it can be done with IE 11 and Firefox 52.0.1 (at the time of writing).

Another solution is to use the CLI naturally.

Manage Your Brocade Fibre Channel Switch with recent Java & browser versions

It’s OK to use the most recent Java version available. At the moment that I wrote this blog post that was Java 1.8.0.121. I can’t give guarantees other than that, but for now that does work.

Instead of navigating to http or https to just the IP address which will send you to https://x.x..x.x/switchexplorer you need to create a shortcut link to the following: https://10.30.2.2/switchexplorer_installed.html (or http://10.30.2.2/switchexplorer_installed.html if you have not enabled https on your switch).

Like this:

clip_image001

I normally change the icon to the shortcut to indicate it’s pointing to a network device. I actually created some ico files based on an image of brocades Fibre Channel switches that I use for this. I just place then under C:\Programdata\BrocadeFC for safe keeping together with a cop of the short cuts. On the management station, I add them to the desktop for easy access. Below is a screenshot of my Windows 10 or Windows Server 2016 (Desktop Experience) management station.

clip_image002

But we’re not there yet. You need to go to Java configuration and select the Security Tab. Make sure Enable Java Content in the browser is enabled. Leave the security at high but don’t forget to add the IP addresses of your Brocade switch to the Exception Site List.

clip_image004

You’ll need to add http or https or both depending on your situation. I think we can all agree we should go for https in this day and age.

In Firefox when you launch the shortcut you’ll get asked what app to use for opening this file.

clip_image005

Make sure you point it to javaws.exe (in C:\Program Files (x86)\Java\jre1.8.0_121\bin) if that’s not the case.

clip_image007Also, check to “Do this automatically for files like this from now on” for faster access during normal operations.

In Internet Explorer allow the add-on “Java SE Runtime Environment 8 Update 121 from Oracle America Inc.” to run.

clip_image009

When it comes to Chrome, this doesn’t’ work anymore. See https://www.java.com/en/download/faq/chrome.xml

When the application is launched, depending on the age of the fibre channel switch and the version of the firmware you’ll be greeted by a more or less harsh security warning.

clip_image010

clip_image011

Check the “I accept the risk and want to run this application” or “Do not show this again for this app from the publisher above” depending on the case. This also allows for easy access the next time you launch the shortcut. The app will launch and you’ll be greeted by the login screen.

clip_image012

Juts log in and there’s nothing more to it. You can now manage your FC switches from Firefox again.

image

Hope this helps some of you out there that come across this issue.

Off Host Backup Jobs with Veeam and Replay Manager 7.8

It’s all about application consistent hardware VSS provider snapshots

I was browsing to see if I could already download Replay Manager 7.8 for our Compellent (SC) SANs. No luck yet, but I did find the release notes. There was a real gem in there on Off Host Backup Jobs with Veeam and Replay Manager 7.8. We’ll get back to that after the big deal here.

image

So what kind of goodness is in there? Well obviously there is the way too long overdue support for Windows Server 2016, including the Hyper-V role and its features. That is great news. We now have application consistent hardware VSS provider snapshots.I do not know what took them so long but they need to get with the program here. I have given this a s feedback before and again at DELL EMC World 2017 The Compellent still is one of the best “traditional” centralized storage SAN solutions out there hat punches fare above its weight. On top of that, having looked at Unity form DELL EMC, I can tell you that in my humble opinion the Compellent has no competition from it.

Off Host Backup Jobs Veeam Replay Manager 7.8

Equally interesting to me, as someone who leverages Compellent and Veeam Baclup & Replication with Off Host Proxies (I wrote FREE WHITE PAPER: Configuring a VEEAM Off Host Backup Proxy Server for backing up a Windows Server 2012 R2 Hyper-V cluster with a DELL Compellent SAN (Fiber Channel))  is the following. Under fixed Issues is found:

RMS-24 Off-host backup jobs might fail during the volume discover scan when using Veeam backup software.

I have Off host proxies with transportable snapshots working pretty smooth but it has the occasional hiccup. Maybe some of those will disappear with Replay Manager 7.8. I’m looking forward to putting that to the test and roll forward with Windows Server 2016 for those nodes where we need and want to leverage the Compellent Hardware VSS provider. When I do I’ll let you know the results.