VMware ‘Disable DelayedAck’ Does Not Work?

KB ID 0001525

Problem

I’ve got a client that’s been having some performance issues with their VMs. Their storage vendor, (EMC) said that as a result of finding this in the logs;

[box]

B       02/28/19 09:50:53.953 scsitarg          117000e [INFO] System: iSCSI Logout Initiator Data: IP=192.168.200.161 Name=...-ec-21 Target Data: Port=2 Flags=0x00002002 Info=0x01200801
B       02/28/19 09:50:53.969 scsitarg          117000e [INFO] System: iSCSI Logout Initiator Data: IP=192.168.201.161 Name=...-ec-21 Target Data: Port=3 Flags=0x00002002 Info=0x01200801
B       02/28/19 09:51:16.413 Health              608fe [WARN] User: Host ESXi-01.petenetlive.com does not have any initiators logged into the storage system.
A       02/28/19 10:04:25.968 scsitarg          117000d [INFO] System: iSCSI Login Initiator Data: IP=192.168.200.161 Name=...-ec-21 Target Data: Port=2 Flags=0x00002002 Info=0x00000000 [Target]
B       02/28/19 10:04:26.034 scsitarg          117000d [INFO] System: iSCSI Login Initiator Data: IP=192.168.200.161 Name=...-ec-21 Target Data: Port=2 Flags=0x00002002 Info=0x00000000
A       02/28/19 10:04:31.996 scsitarg          117000d [INFO] System: iSCSI Login Initiator Data: IP=192.168.201.161 Name=...-ec-21 Target Data: Port=3 Flags=0x00002002 Info=0x00000000 [Target]
B       02/28/19 10:04:32.055 scsitarg          117000d [INFO] System: iSCSI Login Initiator Data: IP=192.168.201.161 Name=...-ec-21 Target Data: Port=3 Flags=0x00002002 Info=0x00000000
B       02/28/19 10:04:57.438 Health              608fc [INFO] User: Host ESXi-01.petenetlive.com is operating normally.
Host Host ESXi-01.petenetlive.com is accessing lun Datastore_3 as HLU 3, After the initiators for this host start logging in/logging,  unit attention update events will be logged as the paths to the luns have changed this is expected
2019/02/28-09:50:41.607527 ~~~~     7F3C92369703      std:TCD:   Unit Attention update from 0000001A to 0001030D for LUN 0x3.
2019/02/28-10:02:55.860669 ~~~~     7FE476E61702      std:TCD:   Unit Attention update from 00010149 to 00010157 for LUN 0x3.

[/box]

We should disable DelayedAck and they kindly gave me the VMware KB that outlined the procedure.

Solution

The procedure outlined (for VMware 6.x) is to put the host in maintenance mode, then edit the properties of the iSCSI controller(s), untick the DelayedAck options, reboot the Host, and everything will be peachy. However, even though (post reboot) everything looks good in the the vSphere Web console. If you look on the host you may find something like this;

[box]

vmkiscsid --dump-db | grep Delayed

[/box]

DelayedAck = ‘1’ means ENABLED, DelayedAck = ‘0’ means DISABLED

So half my iSCSI entries in the iSCSI database still have DelayedAck ENABLED?

Some Internet searching told me this was quite common, and that the best way to ‘fix‘ it was to, disable the iSCSI initiator, remove the iSCSI database, reboot and then setup iSCSI again;

[box]

cd /etc/vmware/vmkiscsid
esxcfg-swiscsi -d
rm -f vmkiscsid.db
reboot

[/box]

Which is fine IF YOU ARE USING A SOFTWARE iSCSI INITIATOR, I however was not, I had 2x dedicated hardware iSCSI HBAs on each host!

After many hours of messing about and trial and error, it became clear, I had to do things in a certain order, or DelayedAck would simply just be enabled whether I liked it or not. 🙁

Disable DelayedAck With Hardware iSCSI NICs / HBAs

MAKE SURE THE HOST IS IN MAINTENANCE MODE FIRST

Then take a note of your iSCSI setup, Port Groups, VMKernel Ports, and Physical NICs, you are going to delete the iSCSI database in a minute, and you will need to ‘rebind’ the VMKernel Ports and add the iSCSI targets back in again.

Manually remove your iSCSI target(s) for ALL the iSCSI NIC/HBA’s

Below if you re-run the command, vmkiscsid –dump-db | grep Delayed you will see there’s still some entries in the database with DelayedAck enabled! So unlike above (see example for software iSCSI) we are going to remove the iSCSI database, only here we don’t need to disable the software iSCSI initiator (because we are not using one!) Finally reboot the host.

[box]

cd /etc/vmware/vmkiscsid
rm -f vmkiscsid.db
reboot

[/box]

When the host is back online ADD in the Network Port Binding for the appropriate VMkernel adaptor.

Like so;

DON’T RESCAN THE CONTROLLER AS PROMPTED TO DO SO!

On the Advanced Settings of EACH hardware iSCSI NIC/HBA > Edit > UNTICK ‘DelayedAck’.

Double check they are both still unticked (I’ve seen them re-tick themselves for no discernible reason!) Then rescan the controller(s).

Target > Add.

Re-add the iSCSI target back in, (that you took note of above).

Select the Target > Advanced > Untick the DelayedAck option (Note: This time it’s not inherited). Repeat for any additional iSCSI targets.

When they are all added, rescan the storage controllers again.

Finally recheck all the database entries are set to DISABLED.

[box]

vmkiscsid --dump-db | grep Delayed

[/box]

Related Articles, References, Credits, or External Links

Thanks to Russell and Iain for their patience while I worked all that out!

Windows – Enable Two RDP Sessions

KB ID 0000554 

Problem

If you have Windows  (Professional, Enterprise or ultimate) you can already connect to it remotely using RDP. Unlike Windows Server 2008/2003/2000 which can have two concurrent RDP connections for remote administration, Windows client operating systems can only have one. If someone is logged into the machine and you connect in, it simply kicks them out to the login page.

This was never a problem for me until I set up a tiny Acer Revo PC behind my TV to use as a media server. If anyone was at home using the media server and I remotely connected to it (I do this quite often to check client VPN’s and to check websites are up and firewalls I’m working on are configured correctly). The TV screen would fill with the Windows 7 Login screen.

Solution

To get round this problem you need to “Patch” a particular windows file called Termsrv.dll. Thankfully over at deepxw they have done the hard work for you, and created an installer that backs up your termsrv.dll file, then patches it.

1. Download the patch (UniversalTermsrvPatch_2)  and extract it to your desktop.

2. Locate the installer for either x32 (x86) or x64 bit versions of Windows depending on which you have. If you’re unsure click here. Click “Patch” and it should say that it was successful.

3. Reboot the client machine.

Should you wish to revert back again;

Simply re-run the installer agin and select “Restore”. Then reboot.

 

Related Articles, References, Credits, or External Links

NA

Cisco Remote (IPSEC) VPN Clients Timeout / Disconnect

KB ID 0000309 

Problem

By default, your remote VPN clients will timeout their connections after 300 seconds of inactivity, should you wish to increase that you can, on a user by user basis, however sometimes that does not work. To fix the problem you need to disable ISAKMP monitoring at the “Head End”.

Solution

Enable via Command Line

(see below for ASDM instructions)

1. Connect to the the firewall (see here for instructions).

2. Login and go to enable mode.

[box]

User Access Verification

Password: Type help or ‘?’ for a list of available commands. PetesASA> en Password: ********

[/box]

3. We need to change the remote access IPSEC VPN tunnel group, to find out what its called issue a “show running-config tunnel-group” command.

The tunnel group we want will have an “ipsec-attributes” entry AND a “remote-access” entry, so in the example below the tunnel group we want is called “IPSEC-VPN-GROUP” (Yours may not be as well named!).

[box]

PetesASA# show running-config tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's a remote access group
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL
authentication-server-group PNL-KERBEROS LOCAL
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes <<< Its an IPSEC tunnel :)
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's a remote access group
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes <<< this ones an SSL group :(
group-alias PNL enable
PetesASA#

[/box]

4. Enter configuration mode (conf t) > Then to add the new attribute issue a “tunnel-group {tunnel group name} ipsec-attributes” > then to disable the keepalives, issue the following command “isakmp keepalive threshold infinite“.

Finally save your hard work with a “write mem” command.

[box]

PetesASA# conf t PetesASA(config)# tunnel-group IPSEC-VPN-GROUP ipsec-attributes PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold infinite PetesASA(config-tunnel-ipsec)# PetesASA(config-tunnel-ipsec)# write mem Building configuration… Cryptochecksum: 5417d5a1 bee8b082 16c6f19d b3839f13

9379 bytes copied in 1.410 secs (9379 bytes/sec) [OK] PetesASA(config-tunnel-ipsec)#

 

[/box]

Do the same from ASDM.

1. Connect to the ASDM

2. Click Configuration > Remote Access VPN > IPSEC Connection Profiles > {Your IPSEC Policy} > Edit.

2. Select Advanced > IPSEC > and tick “Headend will never initiate keepalive monitoring” > OK > Apply.

3. Finally click File > “Save Running Configuration to Flash”.

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Remote VPN Client Internet Access

KB ID 0000977

Problem

I have answered a lot of questions in forums, that are worded something like, “When I have a remote client connected to my firewall VPN they lose Internet access!” Traditionally that’s exactly what the ‘default’ remote VPN solution (IPSEC or AnyConnect) gave you.

To ensure your remote VPN clients can access the Internet you have two options. The first (and most common) way is to enable ‘Split Tunneling’ this lets the user access the Internet form their LOCAL Internet connection.

Or you can provide Internet connection via the ASA’s public Internet connection, this is known as a ‘Tunnel All’ solution.

Solution

At this point I’m assuming you have a remote VPN setup and working, if not you need to do that first, here are some walk-throughs I’ve already done to help you set that up.

Cisco ASA 5500 AnyConnect Setup From Command Line
Note: Split tunneling is covered in this article.
Cisco ASA 5500 IPSEC VPN Setup
Note: Split tunneling is covered in this article.

Option 1 (Split Tunneling)

Rather than re-invent the wheel, I’ve already covered this before in the following article.

Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / WEBVPN Clients

Option 2 (Tunnel All Split Tunneling)

1. Connect to the ASA > Go to enable mode > Then to global configuration mode.

[box]

Type help or '?' for a list of available commands.
PetesASA> enable
Password: ******
PetesASA# configure terminal

[/box]

2. Now you need to create an object group for your remote VPN clients (show run ip local pool should tell you what subnet you are using). And create a NAT rule for traffic originating on the remote client and going back out of the ASA’s outside interface.

[box]

PeteASA(config)# object network VPN_Pool
PeteASA(config-network-object)# subnet 10.0.0.0 255.255.255.0
PeteASA(config-network-object)# nat (outside,outside) after-auto source dynamic VPN_Pool interface 

[/box]

3. Now as traffic is going to come in through the outside interface, turn around, and go back out of the same interface we need to allow that.

[box]

PeteASA(config)# same-security-traffic permit intra-interface

[/box]

4. Add the ‘tunnel all’, and force the remote client to use your DNS servers, to the policy you are using for your remote VPN, (if you are unsure issue a show run group-policy).

[box]

PeteASA(config)# group-policy SSL_Policy attributes
PeteASA(config-group-policy)# split-tunnel-policy tunnelall
PeteASA(config-group-policy)# split-tunnel-all-dns enable
PeteASA(config-group-policy)# exit
PeteASA(config)#

[/box]

5. Save the changes.

[box]

PeteASA(config)# write mem
Building configuration...
Cryptochecksum: cb28eeb2 3d203272 eda92e1c a3b70d09

3166 bytes copied in 0.890 secs
[OK]
PeteASA(config)#

[/box]

Related Articles, References, Credits, or External Links

NA