rhochmayr
commented
6 years ago I have re-deployed the Network Controller and SLB MUX Nodes with Server 2016 images containing the latest updates but the issue still persists.
All components can be deployed successfully and NC is working fine. After deploying the SLB Mux Nodes via Service Template I can go through the "Network Services" wizard in VMM and configure the SLB server without any issues.
After the service is configured the HNVPA NICs on the SLB-MUX Nodes are beeing activated and they receive an address from the HNV IP Pool.
The eventlogs on the SLB MUX Nodes however show the error messages shown in the last post.
When I run Debug-NetworkControllerConfigurationState on the Hyper-V Hosts I get following warnings and Errors:
Status: Warning
Source: SoftwareLoadBalancerManager Code: HostNotConnectedToController Message: Host is not Connected.
Status: Failure
Source: SoftwareLoadBalancerManager Code: VirtualServerUnreachable Message: Loadbalancer Mux is not connected to SLBM. Network Error Code: 10054, Error Message: An existing connection was forcibly closed by the remote host.
What seems weird is following error that also comes up because before adding the SLB-MUX Service the Network Controller was working fine. HNV was working accross multiple hosts and different tenant virtual networks, and still seems to be working fine.
Status: Failure
Source: VirtualSwitch Code: HostNotConnectedToController Message: The host has not yet established communication with the Network Controller.
I assume this message is due to a bug as mentioned here? https://docs.microsoft.com/en-us/windows-server/networking/sdn/troubleshoot/troubleshoot-windows-server-software-defined-networking-stack
The following Eventlog error on the SLB-MUX Nodes is referencing the Thumbprint from the NC certificate:
Unable to validate remote certificate with thumbprint Reason: Remote Certificate is Not Authorized.
Any ideas on where to go from here?
Thanks Robert
After deploying the SLB service via VMM service templates following error keeps coming up in the SLBMUX Eventlogs on the SLB nodes:
Event ID: 9 Unable to validate remote certificate with thumbprint Reason: Remote Certificate is Not Authorized.
The NC certificate has been issued by an internal CA and is trusted by all involved machines.
I also checked the Trusted Root stores on the SLB and NC nodes for certificates with different "issued to" and "issued by" entries but everything looks fine.
On the SLB MUX nodes I enabled the CAPI2 Operational Event Logs and the whole certificate verification process seems to be running without errors.
However, the Timestamps between the Error Message in the slbmux Eventlogs correlate with entries from the CAPI2 Eventlogs when the certificate verifications seem to be taking place.
These are taking place every 30 seconds. At the same time the above mentioned error about being unable to validate the remote certificate is logged
I also tested a manual revocation check with following command on the SLB nodes against the mentioned NC certificate up in the eventlog error and this is also running successfully without any issues. "certutil -f –urlfetch -verify nccertificate.cer"
The NC certificate as well as the SLB MUX Computer certificates have both EKUs (Client & Server Authentication) set.
Are there any other requirements I'm missing here?
Thanks Robert