Issues during fencing startup on VCS cluster nodes set up for server-based fencing


Issues during fencing startup on VCS cluster nodes set up for server-based fencing
Prev	Appendix G. Troubleshooting VCS configuration	Next

Table: Fencing startup issues on VCS cluster (client cluster) nodes

Issue	Description and resolution
cpsadm command on the VCS cluster gives connection error	If you receive a connection error message after issuing the cpsadm command on the VCS cluster, perform the following actions: Ensure that the CP server is reachable from all the VCS cluster nodes. Check the /etc/vxfenmode file and ensure that the VCS cluster nodes use the correct CP server virtual IP or virtual hostname and the correct port number. For HTTPS communication, ensure that the virtual IP and ports listed for the server can listen to HTTPS requests.
Authorization failure	Authorization failure occurs when the nodes on the client clusters and or users are not added in the CP server configuration. Therefore, fencing on the VCS cluster (client cluster) node is not allowed to access the CP server and register itself on the CP server. Fencing fails to come up if it fails to register with a majority of the coordination points. To resolve this issue, add the client cluster node and user in the CP server configuration and restart fencing. See Preparing the CP servers manually for use by the VCS cluster.
Authentication failure	If you had configured secure communication between the CP server and the VCS cluster (client cluster) nodes, authentication failure can occur due to the following causes: The client cluster requires its own private key, a signed certificate, and a Certification Authority's (CA) certificate to establish secure communication with the CP server. If any of the files are missing or corrupt, communication fails. If the client cluster certificate does not correspond to the client's private key, communication fails. If the CP server and client cluster do not have a common CA in their certificate chain of trust, then communication fails.

Issue

Description and resolution

cpsadm command on the VCS cluster gives connection error

If you receive a connection error message after issuing the cpsadm command on the VCS cluster, perform the following actions:

Ensure that the CP server is reachable from all the VCS cluster nodes.
Check the /etc/vxfenmode file and ensure that the VCS cluster nodes use the correct CP server virtual IP or virtual hostname and the correct port number.
For HTTPS communication, ensure that the virtual IP and ports listed for the server can listen to HTTPS requests.

Authorization failure

Authorization failure occurs when the nodes on the client clusters and or users are not added in the CP server configuration. Therefore, fencing on the VCS cluster (client cluster) node is not allowed to access the CP server and register itself on the CP server. Fencing fails to come up if it fails to register with a majority of the coordination points.

To resolve this issue, add the client cluster node and user in the CP server configuration and restart fencing.

See Preparing the CP servers manually for use by the VCS cluster.

Authentication failure

If you had configured secure communication between the CP server and the VCS cluster (client cluster) nodes, authentication failure can occur due to the following causes:

The client cluster requires its own private key, a signed certificate, and a Certification Authority's (CA) certificate to establish secure communication with the CP server. If any of the files are missing or corrupt, communication fails.
If the client cluster certificate does not correspond to the client's private key, communication fails.
If the CP server and client cluster do not have a common CA in their certificate chain of trust, then communication fails.

Prev	Up	Next
The GAB program reports incorrect membership results with existing iptable rules	Home	Appendix H. Sample VCS cluster setup diagrams for CP server-based I/O fencing