none
SMB Signing breaks CSV access cross-node RRS feed

  • Question

  • Hey all, couldn't find an article that answers my problem, so starting my own :).
    Hopefully I put in enough detail.

    Server 2012 R2 Hyper-V Failover Cluster environment.
    2 nodes. 1 SAN via SAS.
    Disks added as CSV. Hyper-V config and vhds on CSVs.
    Each node has 12 NICs.
    NIC 1 - Mgmt - Gateway IP, DNS IP - 192.168.0.X/24
    NIC 2 - Live Migration - IP only, no Gateway, no DNS - 10.20.30.X/24
    NIC 3 to 10 - Windows Teamed Interface - LACP on Switch, added as Virtual Switch, External network, does not share mgmt
    NIC 12 - DMZ - added as Virtual Switch, External network, does not share mgmt

    Everything is fine. Cluster works, live migration works.

    Recently we're going through a security exercise, operating Tenable.io, and remediating results found.
    One of them is SMB Signing. I have been enabing the Group Policy "Microsoft network server: Digitally sign communications (always)" across various servers, testing along the way.

    Until I apply this to my nodes. My CSVs don't appear to like it. After a few days, when trying to access a CSV in C:\ClusterStorage that is owned by another node, I can't see the Space used, and when trying to access it, I get "you have been denied permission to access this folder".
    Removing "Microsoft network server: Digitally sign communications (always)" on both instantly restores this communication.

    After googling around, I have been witnessing a few Event Log errors in SMBClient, Event 30803 and 31010, but I'm not yet sure if it's related. I am still trying to monitor it without the policy change. This is an example:

    [Event ID 30803]

    The network connection failed.

    Error: {Device Timeout}
    The specified I/O operation on %hs was not completed before the time-out period expired.

    Server name: fe80::e0a9:e45:5b2b:f594%25
    Server address: 10.20.30.2:445
    Connection type: Wsk

    Guidance:
    This indicates a problem with the underlying network or transport, such as with TCP/IP, and not with SMB. A firewall that blocks port 445 or 5445 can also cause this issue.

    [Event ID 31010]

    The SMB client failed to connect to the share.

    Error: {Access Denied}
    A process has requested access to an object, but has not been granted those access rights.

    Path: \fe80::e0a9:e45:5b2b:f594%25\454b7f2d-4e6c-4332-ae29-5e4befc5ce5b-135266304$

    So what am I missing? Is it something to do with SMB Signing trying to verify an identity, and CSVs are using SMB across the Live Migration network, 10.20.30.2, but these errors are showing IPv6 address as a server name?

    Tuesday, September 17, 2019 2:29 AM

All replies