fence_cisco_ucs fails with ' Unable to connect/login to fencing device' in RHEL cluster

Solution Verified - Updated 6 Aug 2024

---

Environment

• Red Hat Enterprise Linux (RHEL) 5, 6, or 7 with the High Availability Add On
• Cisco UCS Servers using the UCS fence device (fence_cisco_ucs) for fencing/stonith

Issue

• fence_cisco_ucs fails with "Unable to connect/login to fencing device"
• Cluster node configured with fence_cisco_ucs fails to be fenced, showing "error from agent" in fenced.log
• Unable to fence UCS as it require secure connection

Resolution

Enable fence_cisco_ucs to connect via SSL

If the UCS management interface is configured to only allow SSL connections, enable SSL functionality in `fence_cisco_ucs`. To do so on the command line, use `-z`:

# fence_cisco_ucs -z --ip=x.x.x.x --username=admin --password=some_password --plug=SomePlug_1 -v -o status

Or in /etc/cluster/cluster.conf, specify ssl="1":

<fencedevice agent="fence_cisco_ucs" ipaddr="x.x.x.x" login="admin" name="ucs" passwd="some_password" suborg="org-RHEL" ssl="1"/>

Validate SSL Certificate

If the UCS management interface uses SSL and has a certificate signed by a Certificate Authority (CA) that is not properly trusted by the cluster nodes, then either:

• Have the certificate signed by a proper CA and/or configure the cluster nodes to trust that CA, or
• RHEL 6: Update to fence-agents-4.0.15-8.el6 or later, which defaults to allowing insecure certificates (or can have --ssl-insecure or ssl_insecure="1" specified to achieve the same)
• RHEL 7: Update to fence-agents-4.0.11-10.el7 or later, which defaults to allowing insecure certificates (or can have --ssl-insecure or ssl_insecure="1" specified to achieve the same)

Specify Correct User

If a user is created under any domain, then there is a need to specify the user for authentication as `domain\username` in the configuration, or [`'domain\username'` on the command-line to escape the `\` character](https://access.redhat.com/solutions/965843).

# fence_cisco_ucs -z --ip="x.x.x.x" --username='domain\username' --password="some_password" --plug="node1" --suborg="/org-root/" -o status -v

Root Cause

If the UCS management interface is configured to only allow SSL connections, the agent may fail in certain releases unless -z / ssl="1" is enabled. When ssl is enabled, an invalid or untrusted certificate may cause connection failures on certain releases. Finally, if using a user in a domain, then this requires special syntax to specify the domain.

Diagnostic Steps

• Run fence_cisco_ucs from the command line using the parameters from /etc/cluster/cluster.conf and -v`:

# fence_cisco_ucs --ip=10.1.1.2 --username=admin --password='cisco' --plug=plugX -o status -v
<aaaLogin inName="admin" inPassword="cisco" />
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://10.1.1.2/nuova">here</a>.</p>
</body></html>

Unable to connect/login to fencing device

If the output looks like above, -z is needed.

SBR

• Clusterha

Product(s)

• Red Hat Enterprise Linux

Components

• cluster
• cman

Tags

• cluster ha high availability
• fence_agent

---

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.