Auto-Remediation vCenter Alarm

Summary:
I've been dealing w/ issues on Emulex OCe11102-FM logging out of the vSAN Fabric and not recovering.

Long story short, it's been a firmware problem and I was able to get a alpha firmware that fixed the issue.

In the meantime, I had created a PowerCLI script to auto-remediate every hour if a degraded path was detected.  I wasn't fond of the solution, so I looked to vCenter alarms to see if I could have them do it for me.  Turns out they can, but there are caveats to this approach.

What follows is an example of how to set something like this up and details specific to the errors/configuration I was dealing with.



Example:

  1. Alarm General Settings: Host, Monitor for specific events

  2. Alarm Triggers: 
    1. Degraded Storage Path Redundancy: Warning
    2. Entered Maintenance Mode: Alert
    3. Host connected: Normal

  3. Alarm Actions:
    1. Enter Maintenance Mode upon "Warning" status
    2. Reboot Host: Upon "Alert" Status
    3. Exit Maintenance Mode: upon "Normal" status

  4. This does the following:
    1. Degraded Storage Path Redundancy detected and placed into "Warning" status
    2. Once "Warning" status is triggered, the "Enter maintenance mode" action is executed.
    3. Once the host has "Entered maintenance mode", an "alert" status is triggered.
    4. Once "Alert" status is triggered, the "reboot host" action is executed.
    5. The host goes into disconnected state when it's rebooted, so when it comes back online, this triggers a "Host Connected" event which places a status of "Normal".
    6. Once "Normal" status is triggered, the "Exit maintenance mode" action is executed.
Caveats:
  1. The alarm does not understand the notion of cluster status, so if other hosts trigger the same degradation status, they will all attempt to enter maintenance mode @ the same time.  Since they will all fail to reach "Entered maintenance mode" they will simply be stuck.
  2. Think of this as a workaround solution only, I would not recommend using this consistently.
  3. Doing firmware updates on the cards causes a degradation event which kicks off this alarm.
Configuration / Errors:
Host -> Nexus 5K -> Cisco MDS
OCe11102-FM Firmware Version: 4.6.142.10

Nexus 5K is configured for NPV
Cisco MDS is configured for NPIV

This particular issue was seeing that the connection from the Host to the Nexus 5K always logging out of the vSAN.

The connection between the Nexus 5K and Cisco MDS were always 'up'.

Errors recorded:
2013 Oct 21 12:16:23 SWITCHNAME %PORT-5-IF_TRUNK_DOWN: %$VSAN 20%$ Interface vfc1, vsan 20 is down (Gracefully shutdown)   
2013 Oct 21 12:16:23 SWITCHNAME %PORT-5-IF_DOWN_NONE: %$VSAN 20%$ Interface vfc1 is down (None)  
2013 Oct 21 12:16:23 SWITCHNAME %PORT-5-IF_TRUNK_DOWN: %$VSAN 20%$ Interface vfc1, vsan 20 is down (waiting for flogi)  
2013 Oct 21 12:20:52 SWITCHNAME %PORT-5-IF_TRUNK_DOWN: %$VSAN 20%$ Interface vfc1, vsan 20 is down (Initializing)   

Problem came down to bad firmware from Emulex.  Something was getting hung and not re-logging back into the fabric w/o resetting the virtual fabric port on the switch or rebooting the ESXi host.

Port captures on the switch show that under normal operating circumstances, it is expecting a VLAN discovery packet from the host to begin FLOGI negotiation.  When the problem occurs, it no longer receives this VLAN discovery packet from the host.  Performing the same packet captures on the host also did not show the VLAN discovery packet which points to a 'firmware' level call that can only be seen in the actions of the HBA itself and its diagnostic dumps.  This is when we interfaced w/ Emulex for analysis of those dumps.

Comments

Anonymous said…
Hi chris,

About this alpha firmware for the Emulex OCE11102-FM pci board, could you explain where it's possible to download it for test ? I don't see this firmware on the Emulex Support website. We have this type of problem on several systems and we would test the alpha firmware.
Thanks for your information.
February 26, 2014 at 2:31 PM
Zsoldier said…
Had to get it directly from Emulex. It may be available by now.
February 26, 2014 at 2:53 PM
Anonymous said…
hi Chris,
Unfortunatly the last release available for download on the Emulex website is the 4.6.142.10. (with the problem).
regards
marcng
February 26, 2014 at 4:16 PM
Zsoldier said…
You'll have to contact Emulex unfortunately to get it then.
February 26, 2014 at 4:28 PM
Post a Comment

Popular posts from this blog

NSX-T: Release associated invalid node ID from certificate

Image
Summary: Basically had an expiring certificate registered in NSX-T that was associated to a node_id that is no longer valid.  Long story short, there wasn't anything obvious in API to delete or disassociate a certificate from a node_id for 3.2.2.  Not sure how things got in this state, but annotating for future reference.  This may change in future revisions, so always check API for latest. Details: Effectively had a stale node associated w/ a certificate that was expiring.  Could not delete certificate until that node was disassociated from the certificate. To get certificate details and associated node_id's, you can use the following curl call (UI works too): curl -k -X GET -H "Content-Type: application/json" -u admin https://<manager ip>/api/v1/trust-management/certificates/<cert UUID> Above will return something like this: Below must be run from one of the manager nodes via elevation to root: ONLY RUN THIS IF YOU ARE ABSOLUTELY SURE OF WHAT YOU ARE DO...
Read more

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

Image
Summary: NSX-T loses synch w/ vCenter inventory, but statuses don't appear to show an issue.  Basically, you add a host to a vCenter cluster, NSX-T bits should start to automatically installing on new host.  Assuming you've created a Transport Node Profile and associated w/ the cluster.  The problem is that NSX-T doesn't see the new host and its link to the compute manager (vCenter) looks fine. Looks fine, Y U NO WORK!? So what's going on here?  This appears to affect NSX-T 2.5 and 2.5.1.  Cause is unknown. Workaround: Restart the cm-inventory service on each NSX-T mgmt/controller node using API or CLI. Details: If you were to query the status of the cm-inventory via API or CLI, you could query all 3 manager/controller nodes and get a status of running.  Even if the primary node associated w/ the VIP, if configured, is not necessarily in charge of inventory.  So you could restart the cm-inventory service till you are blue in the face ...
Read more

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.

Image
The VPN client was unable to successfully verify the IP forwarding table modification.  A VPN connection will not be established. Summary: I started running into issue utilizing Cisco AnyConnect on my Mac basically complaining about not able to overwrite IP forwarding tables.  This was on 4.6.x.  Since my VPN endpoints were not providing me w/ an updated client and w/ no access to Cisco Anyconnect downloads, my only option was to try openconnect.  It was totally worth it, here is why and how to set it up. PreReqs: Homebrew Installing OpenConnect: Launch MacOS Terminal brew install openconnect Getting VPN IP's/DNS Endpoints from AnyConnect: The information is typically located in your profile xml files located here: /opt/cisco/anyconnect/profile/somethingsomething.xml In the xml file, you are looking for "<HostAddress>typicallyaDNSName.com</HostAddress>" entry.  These are your VPN endpoints that you would need to pass to openconnec...
Read more