#vserver http access

Having trouble with a vserver denying http requests from anywhere, but mostly from Snap* apps. Can ssh to the mgmt lif, can ping it. But http/s refuses connections.

The mgmt lif has management-http and -https services enabled.

What am I missing?

check
vserver services web show
vserver services web access show
for the svm

...... and port 80 & 443 from your client to the management lif is not blocked by a firewall?

Firewall ruled out, will check those commands, thanks!

All set to true.

did you double check that it's not a duplicate IP address?

Yes

Like I said, I can ssh to it just fine.

did you try moving the LIF to the other node?

can give that a shot

Yeah. It’s likely the service policy

Do a net int show -vserver xxx -fields service-policy
Then
Network interface service-policy show -vserver xxx -policy <from above >
You are likely missing the appropriate objects to allow through

Checked that already, dunno what it's missing

default-management data-core: 0.0.0.0/0

                                 management-ssh: 0.0.0.0/0

                                 management-https: 0.0.0.0/0

                                 management-dns-client: 0.0.0.0/0

                                 management-ad-client: 0.0.0.0/0

                                 management-ldap-client: 0.0.0.0/0

                                 management-nis-client: 0.0.0.0/0

                                 data-dns-server: 0.0.0.0/0

                                 management-http: 0.0.0.0/0

                                 backup-ndmp-control: 0.0.0.0/0

                                 management-snmp-server: 0.0.0.0/0

What is service policy of the interface you are trying to use?

that one

How about a specific example of what is failing?

any http request (from within java if SnapCenter or SnapCreator, from browser on my laptop) gets ERR_CONNECTION_REFUSED

Can you show the output asked earlier

vserver services web show -vserver xxx

vserver services web access show -vserver xxx

just a sec, have to email them from [custy site] to NTAP laptop.

vserver services web show -vserver vscl2_ora_t3_110

Vserver Type Service Name Description Enabled

vscl2_ora_t3_110 data backups Configuration Backup Download true

vscl2_ora_t3_110 data docs-api REST API Documentation true

vscl2_ora_t3_110 data ontapi Remote Administrative API true

                                     Support

vscl2_ora_t3_110 data rest Remote Administrative REST true

                                     API Support

vscl2_ora_t3_110 data security Security features true

5 entries were displayed.

vserver service web access show -vserver vscl2_ora_t3_110

Vserver Type Service Name Role

vscl2_ora_t3_110 data backups none

vscl2_ora_t3_110 data docs-api vsadmin

vscl2_ora_t3_110 data docs-api vsadmin-protocol

vscl2_ora_t3_110 data docs-api vsadmin-readonly

vscl2_ora_t3_110 data docs-api vsadmin-volume

vscl2_ora_t3_110 data ontapi vsadmin

vscl2_ora_t3_110 data ontapi vsadmin-protocol

vscl2_ora_t3_110 data ontapi vsadmin-readonly

vscl2_ora_t3_110 data ontapi vsadmin-volume

vscl2_ora_t3_110 data rest vsadmin

vscl2_ora_t3_110 data rest vsadmin-protocol

vscl2_ora_t3_110 data rest vsadmin-readonly

vscl2_ora_t3_110 data rest vsadmin-volume

vscl2_ora_t3_110 data security vsadmin

vscl2_ora_t3_110 data security vsadmin-protocol

vscl2_ora_t3_110 data security vsadmin-readonly

vscl2_ora_t3_110 data security vsadmin-volume

17 entries were displayed.

ontapi and REST are both there, so not sure why snapcreator/center both error out trying to connect to it.

the specific error I get in SnapCenter when I try to add the vserver:

Storage: [vserver mgmt IP] Error. Failed to connect to storage system [vserver mgmt IP]. API invoke failed:The underlying connection was closed: An unexpected error occurred on a send.

Migrated mgmt lif to another node with same same results

Which user you using to connect? Does it have permission under rest-role?

Security login show -vserver xxx
Security login role show-vserver xxx
Security login rest-role show -vserver xxx

And ONTAP version. Is the app trying to use the ONTAPI and it’s disabled?

security session request-statistics show-by-location -interface ontapi

9.121P8

Just to put a bow on this,

::>security ssl show

Client access wasn't enabled. The fix:

::> security ssl modify -client-enabled true

Took us capturing and analyzing packets in Wireshark to figure out what the problem was. ONTAP really needs better errors for this. LOL

lol. Completely forgot about this!

I’ve never had to manipulate the svm for actual https access

@narrow brook @zealous wind do you think it's worth writing a KB for this?

I would think so! It’s not really in the documentation and it’s not common to enable http/s to the svm. Hopefully enough tags would allow it to be found quickly

Paul, John Gartrell from support was the one who helped us figure it out. 2010105678 was the case.

Oh. John should have wrote a KB then. If not, I'll sack him like the person writing the credits for Monty Python and the Holy Grail. 😄

heh, he wasn't primary, John Lahey was, brought John G in as an ONTAP guru. 😂

Sorry, I've been OOTO since the 11th. Do you mean a KB like this? https://kb.netapp.com/Advice_and_Troubleshooting/Data_Protection_and_Security/SnapCenter/How_to_setup_ONTAP_to_be_accessed_by_APIs

I guess so. 🙂

Scott, that kb doesn't cover the SSL issue we encountered for https. Covers most of the the other stuff we verified along the way tho!