Connect Configuration Troubleshooting
Troubleshooting VMware vSphere Configuration
Troubleshooting Citrix XenServer Configuration
Troubleshooting Adapters for XenDesktop, Hyper-V, SCVMM and SCCM Configuration
Troubleshooting Citrix XenDesktop Configuration
Troubleshooting Microsoft Hyper-V and Virtual Machine Manager Configuration
ExtremeCloud IQ Site Engine is not responding.
Restart the ExtremeCloud IQ Site Engine services. Change directory (cd) to /usr/local/Extreme_Networks/NetSight/scripts.
cd /usr/local/Extreme_Networks/NetSight/scripts
stop ExtremeCloud IQ Site Engine service by typing:
./stopserver.sh
Wait for the prompt and then start ExtremeCloud IQ Site Engine service by typing:
./startserver.sh
Is there a log file and where do I find it?
Extreme Connect logs within the JBoss context of the ExtremeCloud IQ Site Engine server. Find the server.log file either in the ../appdata/logs/ folder or simply by opening the server log from any ExtremeCloud IQ Site Engine Client.
What loglevels are available and how do I change them?
Every module of ExtremeConnect, including the main application itself have individual loglevel settings in their respective configuration file. The default level should be ERROR and it is strongly suggested to keep it at this level, except for troubleshooting issues. The loglevels are (from least to most talkative):
- ERROR
- WARN
- INFO
- DEBUG
I am getting a lot of errors and would like to turn logging completely off for a certain module.
In addition to the four loglevels used by all modules, Log4J also supports the FATAL loglevel which is currently not used by any module without Extreme Connect. In order to set a module to use this loglevel, the configuration file has to be edited manually as this option is not provided on the web page to avoid shutting down logging by mistake.
Some modules stop working after some time and report in the log that too many errors happened.
Each module is monitored by the main ExtremeConnect process regarding errors that happen during each run cycle (i.e. authentication errors). If a module produces more than 10 failures in a row, the module will be disabled to prevent any further errors. In order to restart a module, try to identify the problem source (i.e. remote server is not responding), remedy it and update the module configuration file. As soon as the timestamp of the configuration file is changed, the configuration will be reloaded and the failure counter is reset to zero until further failures happen. The counter will also be reset, if at least one successful cycle was completed in the meantime.
The logs always note local/remote data storages. What are these?
ExtremeConnect logs are always written from the ExtremeConnect perspective. Local means the ExtremeConnect service and remote relates to another service contacted (i.e. ExtremeControl, VMware,…). Each module has its own datastore in order to track changes and update local or remote data. Therefore, if certain information for an end-system is missing from a specific module, it is always a good start to look at the datastore and log for that particular module.
What happens to a module if an error occurs?
The error is logged and the run cycle for the module will go on or end, depending on the severity of the error. If an error should crash a module, a full stack trace will be logged and the module is terminated until the JBoss service has been restarted. All other modules are not affected by this and will continue running, even if they should not receive any further updates from other modules.
After JBoss has started, I don’t see any data being updated for some minutes. Is there something wrong?
No, Extreme Connect will first start all modules and wait a bit to verify that everything is running correctly. After that, the modules will enter their run cycle and start retrieving data from various sources. Depending on the delay until the information is retrieved and the interval times of each module, this might take up to a couple of minutes.
Troubleshooting VMware vSphere Configuration with ExtremeConnect
Do I have to create a dedicated user for ExtremeConnect to access the vSphere webservice?
No, but it is recommended to do so as it will enable you to filter events and tasks more easily within the VMware Client.
What are the least permission requirements for the webservice user?
The account should have at least all necessary permissions to:
- register the ExtremeCloud IQ Site Engine Plugin Extension
- write data to VM annotation fields
- read data from VM configurations (MAC, Network)
Although ExtremeConnect seems to be running fine, I only see “n/a” in the annotation fields and no records via the ExtremeConnect plugin. Why is that?
Most likely, none of the MAC addresses of the VM is listed in the end-system table of the NAC Manager. Make sure that authentication (at least MAC Auth) is set up properly on the physical switch and that the VM is actually sending some traffic.
How often will Extreme Connect update the information within vSphere (annotations, switches…etc.)?
ExtremeConnect will check if the current remote data differs from its local. If so, it will update all data that is different on the remote service. This is especially true for the annotation field and it is generally recommended not to use variables like LastSeenTime in the annotation text, which will change very frequently and have a lot of updates as a result.
Is there any way to get rid of the event/task logs for every update that Extreme Connect performs within vSphere?
No. This functionality is handled by vSphere itself and ExtremeConnect has no means to stop it. vSphere offers a filtering mechanism that can be used to limit the information shown and help to find specific data more efficiently.
How does ExtremeConnect determine the name of the end-system group that a VM MAC address should be added to?
ExtremeConnect retrieves the name of the virtual network/portgroup in its default configuration and uses the part before the first underscore as the end-system group name. This corresponds to the naming convention used if ExtremeConnect is automatically creating portgroups from end-system groups. The format used there is always:
endSystemGroup_virtualSwitchName
The reason for this is the requirement within vSphere that two portgroups on the same host can not share the same name. Therefore, the (d)vSwitch name is appended to the end-system group name with an underscore. This also ensures that vMotion is possible for VMs on two hosts which also require that both portgroups on those hosts have the same name.
Is it possible to let ExtremeConnect create portgroups automatically, but to let the VM administrator handle VLAN configurations?
Yes, the configuration offers an option to turn off VLAN creation/updates.
What happens if VLAN updates are enabled and a VM administrator changes the settings of a portgroup?
Extreme Connect will update the settings using the local configuration data. It will not delete and recreate the portgroup, but simply update the existing configuration.
What happens if an end-system group is deleted and the portgroup deletion option is enabled?
Extreme Connect will move all VMs attached to that portgroup/network to the “VM Disconnected Systems” group and then delete the original portgroup/network.
If a portgroup has been deleted by ExtremeConnect, can another portgroup with the same name be created manually within vSphere afterwards?
Using its local data store, ExtremeConnect will put the name of the end-system group onto a special “deletion” stack. During each run cycle, every module will check the stack and remove all portgroups that use the same name until the deletion interval timer runs out. This value is set to 2 minutes per default. After those 2 minutes have passed, a VM administrator can safely create a portgroup of the same name without risking it being deleted.
Although portgroup deletion is enabled, groups are not getting deleted by ExtremeConnect. What is the reason for that?
ExtremeConnect will delete all groups as long as the group is on the deletion stack and the entry has not timed out. If too much time is required for each run through, try increasing the deletion interval timer so that the module has a better chance of performing the operation.
Troubleshooting Citrix XenServer Configuration with ExtremeConnect
Do I have to create a dedicated user for ExtremeConnect to access the XEN Server webservice?
No, you can use the root account on the XEN Server.
What are the least permission requirements for the webservice user?
The account should have at least all necessary permissions to:
- write data to VM description fields
- read data from VM configurations (MAC, Network)
How often will ExtremeConnect update the information within XenCenter (descriptions, networks…etc.)?
ExtremeConnect will check if the current remote data differs from its local. If so, it will update all data that is different on the remote service. This is especially true for the description field and it is generally recommended not to use variables like LastSeenTime in the annotation text, which will change very frequently and have a lot of updates as a result.
How does Extreme Connect determine the name of the end-system group that a VM MAC address should be added to?
ExtremeConnect creates XEN networks with the exact same name as the corresponding ExtremeCloud IQ Site Engine end-system group. ExtremeConnect then checks all XEN networks it manages and the VMs which are assigned to them. The MAC’s of these VMs will then be added to the corresponding end-system group in ExtremeCloud IQ Site Engine.
Is it possible to let ExtremeConnect create networks automatically, but to let the VM administrator handle VLAN configurations?
No, this feature is currently only supported for VMware, not for XEN.
What happens if a XEN administrator changes the settings of a network (VLAN ID, NIC)?
ExtremeConnect will update the settings using the local configuration data. For this to take place, all VMs connected to the network will temporarily be disconnected from this network. Then the network will be reconfigured and finally all VMs priory connected to this network will be reconnected.
What happens if an end-system group is deleted and the network deletion option is enabled?
ExtremeConnect will move all VMs attached to that network to the “VM Disconnected Systems” network and then delete the original network.
If a network has been deleted by ExtremeConnect, can another network with the same name be created manually within XenCenter afterwards?
Using its local data store, ExtremeConnect will put the name of the end-system group onto a special “deletion” stack. During each run cycle, every module will check the stack and remove all networks that use the same name until the deletion interval timer runs out. This value is set to 2 minutes per default. After those 2 minutes have passed, a XEN administrator can safely create a network of the same name without risking it being deleted.
I’ve set an end-system group’s description to “sync=true vlan=100” but in XEN only an internal network is being created – not an external one with the corresponding VLAN ID - why?
In order for ExtremeConnect to create an external network within XEN two settings are necessary: VLAN ID and physical NIC to connect the external network to.
I’ve set an end-system group’s description to “sync=true nic=eth1” but in XEN only an internal network is being created – not an external one attached to nic eth1 without a VLAN ID - why?
In order for ExtremeConnect to create an external network within XEN two settings are necessary: VLAN ID and physical NIC to connect the external network to. It is not possible to create an external XEN network without assigning a VLAN ID (all external XEN networks are tagged).
Troubleshooting Adapters for XenDesktop, Hyper-V, SCVMM and SCCM Configuration with ExtremeConnect
What is the adapter doing and how?
The adapter is creating a Web Service bound to the IP and port that configure within the configuration file. ExtremeConnect is then making web service calls to this adapter to retrieve data on managed end-systems (VMs, Windows devices, etc.) and (depending on which integration is used) also update data on the remote server (for example: update description fields for VMs).
What ports are needed to communicate between the ExtremeConnect and the adapter?
Only one port is required and this is the one configured on the adapter side within its configuration file.
Is the communication secure?
All data sent and retrieved from/to the adapter is encrypted using the pre-shared key which the admin defines when setting up the adapter and installing ExtremeConnect. The key itself is then automatically encrypted.
No information is synchronized – what else can I check?
Check the adapter’s logfile. It will show you when the adapter has been “called” by ExtremeConnect, what powershell commands it tries to execute and what the return values of these commands were. You need to set the log level to “DEBUG” and restart the adapter in order for this to print detailed logging information.
How can I check whether the adapter’s web service is working and reachable?
Depending on whether your ExtremeCloud IQ Site Engine server is installed on a Windows server or on a Linux-based appliance you can use a standard browser or a Linux tool like wget to request one of the following web URLs (depending on the integration (adapter) you are trying to troubleshoot):
- XenDesktop: http://<IPofAdpater>:<PortOfAdapter>/DCM_XENDESKTOP_ADAPTER
- Hyper-V: http://<IPofAdpater>:<PortOfAdapter>/DCM_HYPERV_ADAPTER
- SCVMM: http://<IPofAdpater>:<PortOfAdapter>/DCM_SCVMM_ADAPTER
- SCCM: http://<IPofAdpater>:<PortOfAdapter>/FUSION_SCCM_ADAPTER
If you get a browser error that it cannot connect or the page is not existing you either have an issue with a firewall along the communication path or the adapter’s web service did not start properly on the configured IP and port. Also make sure that the configured port for the adapter is not yet used by another service on your Microsoft server.
Troubleshooting Citrix XenDesktop Configuration with ExtremeConnect
Why do the usernames within ExtremeCloud IQ Site Engine NAC Manager appear as “Kerberos” usernames?
The XenDesktop adapter uses the same webservice call as the Kerberos snooping process. For the system’s functionality this makes no difference: you can create user groups, rules and profiles based on these usernames.
After some time the usernames are deleted or disappear in NAC Manager - why?
- The corresponding XenDesktop session has ended. In this case, the adapter resets the username on the corresponding end-system VM which will also trigger any existing rule / NAC profile changes.
- The Kerberos aging timer was triggered. Within NAC Manager you can configure a period after which the Kerberos usernames will automatically age out. If you don’t want this timer to interfere with the XenDesktop adapter functionality make sure to set a very high value or disable this feature.
Although some users have disconnected from their XenDesktop session the usernames are still active within NAC Manager - why?
XenDesktop distinguishes between a closed/non-existing session and a disconnected one. A session is first active, then disconnected and then deleted. As long as the session is in the disconnected state, the adapter still doesn’t reset the username within ExtremeCloud IQ Site Engine. In case the user re-activates his/her session, there is no need for the adapter to set the username and the corresponding user-profile is already active within NAC.
Troubleshooting Microsoft Hyper-V and Virtual Machine Manager Configuration with ExtremeConnect
How often will ExtremeConnect update the information within the notes field?
ExtremeConnect will check if the current remote data differs from its local. If so, it will update all data that is different on the remote service. This is especially true for the notes field and it is generally recommended not to use variables like LastSeenTime in the notes text, which will change very frequently and have a lot of updates as a result.
How does ExtremeConnect determine the name of the end-system group that a VM MAC address should be added to?
ExtremeConnect reads the virtual networks (virtual switches) each VM belongs to and puts its MAC address into the corresponding end-system group in ExtremeCloud IQ Site Engine. For this feature to work, end-system groups with the exact same name as the virtual networks from Hyper-V must exist within ExtremeCloud IQ Site Engine and the description field must contain “sync=true”.