Fibre Channel (SAN)

Reply
New Contributor
Posts: 2
Registered: ‎06-08-2017

Multi-path to a cleartext LUN

Hi,

 

I'm running a ES-5832B encryption switch on FOS v7.0.1. We use those devices to encrypt LUN data on the fly. There are multiple paths to reach particular LUN and for that, we create on zone per host/target.

 

For example Host port 1 and Targert port 1 will be in Zone1 and Host port 2 and Targert port 2 will be in Zone2. Then we create a Cryptotarget container for each zone, CTC1 and CTC2.

 

Multi-pathing an encrypted LUN is therefore as simple as adding the LUN to each CryptoTarget container using the following command:

 

> cryptocfg --add -LUN CTC1 0x0 <Init PWWN> <Host NWWN> -lunstate encrypted -encrypt
> cryptocfg --add -LUN CTC2 0x0 <Init PWWN> <Host NWWN> -lunstate encrypted -encrypt

Looking at the state of the LUN should show that all paths have encryption enabled:

 

> cryptocfg --show -container -all -stat | grep "Internal EE LUN state"
Internal EE LUN state:  Encryption enabled
Internal EE LUN state:  Encryption enabled

And this works great, I can see on my host all the paths to the LUN.

 

Now if I try to do the same with a cleartext LUN, the story is different. So as before, I add my LUN to all CryptoTarget containers but I just specify that the LUN is cleartext:

 

> cryptocfg --add -LUN CTC1 0x0 <Init PWWN> <Host NWWN> -lunstate cleartext -cleartext
> cryptocfg --add -LUN CTC2 0x0 <Init PWWN> <Host NWWN> -lunstate cleartext -cleartext

 

But if I look at the LUN state, only the first path is enabled:

 

> cryptocfg --show -container -all -stat | grep "Internal EE LUN state"
Internal EE LUN state:  Clear text
Internal EE LUN state:  LUN setup


On my host I can see both paths but no data is going through the second one.

 

I don't get why what works for encrypted LUNs won't work for cleartext LUNs. Am I missing something?

 

External Moderator
Posts: 5,029
Registered: ‎02-23-2004

Re: Multi-path to a cleartext LUN

@jimmyt

 

I'll try to assist you with the issue, I worked in the past with BES Platforms but I'm not the TOP Expert, and those Encryption Switches are indeed a hard nuts.

 

Q.:

1) Is the Storage where you have present a LUN attached direct to BES Switch, or trough a EDGE Switch ?

 

EXAMPLE:

 

BES <--> SAN-Switch as EDGE <---> Storage

 

2)

 

-->>On my host I can see both paths but no data is going through the second one.

 

-->> I don't get why what works for encrypted LUNs won't work for cleartext LUNs. Am I missing something?

 

is the Initiator added on the CTC ?

 

If I remember correct, when the Initiator is not added no Data go trough the Path.

TechHelp24
New Contributor
Posts: 2
Registered: ‎06-08-2017

Re: Multi-path to a cleartext LUN

[ Edited ]

Hi Antonio,

 

The setup looks like this:

 

Host <-----> BES <-----> Storage

No more complex than this.

 


Antonio Bongiorno TechHelp24 wrote:

is the Initiator added on the CTC ?

 

If I remember correct, when the Initiator is not added no Data go trough the Path.




Yes the configuration did not change. If I had an encrypted LUN for the same host, all is fine. It just don't work when it's a cleartext LUN.
Frequent Contributor
Posts: 103
Registered: ‎04-07-2011

Re: Multi-path to a cleartext LUN

Hello @jimmyt

 

Welcome to the Community!

While we still encourage the Community to assist with your post, I wanted to let you know that I have passed your questions on to our TAC Engagement Team. They will be reaching out to you shortly to gather more information regarding your configuration, so we can get you routed to the correct group.

Once your case is closed, if appropriate, we will post the resolution to this thread to help others within the Community; or, if you'd prefer, please come back and post the resolution yourself.

Please let us know if there is anything else we can do to help faciliate your case resolution.

You can find out more about the TAC Engaged Program by clicking on the link below.

Thank you!

Denise K.
Brocade Community Team

@DeniseK

 

TAC Engaged Program

TAC Engaged Program

Frequent Contributor
Posts: 103
Registered: ‎04-07-2011

Re: Multi-path to a cleartext LUN

[ Edited ]

Hi @jimmyt / All,

 

The TAC case for this issue was closed recently, with this Resolution Summary:

 

"In this case, there is no key vault connectivity. When there is loss of key vault connectivity, one clear text path per LUN, per Encryption Engine, can come online. Other clear text paths (non-passive path) will come up in a LUN Setup state. The BES is working as designed. KB Article 00001472 describes the issue."

 

We hope this helps!

 

Best Regards,

 

Denise K.

Brocade Community Team

@DeniseK

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook