Loading...
Loading...
In OneFS 8.2 and newer, the Smartconnect Service IP (SSIP) address was moved from a SYSTEM_ZONE to a DISABLED_ZONE, thus, no longer allowing authentication when connecting using the SSIP. This means that any protocol where the SSIP is the server and requires authentication, the connection will not complete at the point of authentication. Example protocols that would require authentication are (this is not a complete list): Secure Shell (SSH) WebUI (HTTPS) SMB NFS FTP NOTE: It has been perceived that this is a bug/defect; however, this is expected behavior. When the SSIP is placed in the DISABLED_ZONE, the corresponding Zone ID is 0 (zero). The zone number can be seen after running # ifconfig. isilon-1# ifconfig ix0 ix0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=e53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6> ether --:--:--:--:--:-- inet 192.168.1.43 netmask 0xfffffc00 broadcast 192.168.1.255 zone 1 inet 192.168.1.35 netmask 0xffffff00 broadcast 192.168.1.255 zone 0 inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255 zone 2 inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255 zone 2 inet 192.168.1.13 netmask 0xffffff00 broadcast 192.168.1.255 zone 2 inet 192.168.1.16 netmask 0xffffff00 broadcast 192.168.1.255 zone 2 inet 192.168.1.17 netmask 0xffffff00 broadcast 192.168.1.255 zone 2 inet 192.168.1.20 netmask 0xffffff00 broadcast 192.168.1.255 zone 2 inet 192.168.1.21 netmask 0xffffff00 broadcast 192.168.1.255 zone 2 inet 192.168.1.15 netmask 0xffffff00 broadcast 192.168.1.255 zone 2 inet6 fe80::xxxx:xxxx:xxxx:xxxx%ix0 prefixlen 64 scopeid 0x1 zone 1 media: Ethernet autoselect (10Gbase-SR <full-duplex,rxpause>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> The Smartconnect Service IP only blocks authentication required for the inbound connection. If the SSIP is used as the source IP of an outbound connection (where the node is the client), the ZONE specification will not apply. For example, if the node is attempting to reach out to an authentication server using the SSIP as the source IP address, this traffic will not be blocked. There is also no restriction to having the SSIP as the source IP address for outbound connections requiring authentication. While the SSIP was moved to a different zone, it is still not supported to use the SSIP as a server beyond what it was intended for, which is for name resolution. Documentation regarding support for this topic is found in the Advanced Networking Fundamentals Guide (page 32): https://www.dellemc.com/resources/en-us/asset/white-papers/products/storage/h16463-isilon-advanced-networking-fundamentals.pdf "Note: SmartConnect Service IP Addresses (SSIPs) are only supported for use by a DNS server. Although SSIPs may be used in other configurations, the design intent was for a DNS server. Thus, other implementations with SSIPs are not supported."
In previous OneFS versions the Smartconnect Service IP (SSIP) was in the SYSTEM_ZONE, allowing authentication when using the SSIP as a server.
It is not recommended to use production or management traffic on the SSIP as a server beyond what it is intended for.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.