Hey all, couldn't find an article that answers my problem, so starting my own :).
Hopefully I put in enough detail.
Server 2012 R2 Hyper-V Failover Cluster environment.
2 nodes. 1 SAN via SAS.
Disks added as CSV. Hyper-V config and vhds on CSVs.
Each node has 12 NICs.
NIC 1 - Mgmt - Gateway IP, DNS IP - 192.168.0.X/24
NIC 2 - Live Migration - IP only, no Gateway, no DNS - 10.20.30.X/24
NIC 3 to 10 - Windows Teamed Interface - LACP on Switch, added as Virtual Switch, External network, does not share mgmt
NIC 12 - DMZ - added as Virtual Switch, External network, does not share mgmt
Everything is fine. Cluster works, live migration works.
Recently we're going through a security exercise, operating Tenable.io, and remediating results found.
One of them is SMB Signing. I have been enabing the Group Policy "Microsoft network server: Digitally sign communications (always)" across various servers, testing along the way.
Until I apply this to my nodes. My CSVs don't appear to like it. After a few days, when trying to access a CSV in C:\ClusterStorage that is owned by another node, I can't see the Space used, and when trying to access it, I get "you have been denied
permission to access this folder".
Removing "Microsoft network server: Digitally sign communications (always)" on both instantly restores this communication.
After googling around, I have been witnessing a few Event Log errors in SMBClient, Event 30803 and 31010, but I'm not yet sure if it's related. I am still trying to monitor it without the policy change. This is an example:
[Event ID 30803]
The network connection failed.Error: {Device Timeout}
The specified I/O operation on %hs was not completed before the time-out period expired.
Server name: fe80::e0a9:e45:5b2b:f594%25
Server address: 10.20.30.2:445
Connection type: Wsk
Guidance:
This indicates a problem with the underlying network or transport, such as with TCP/IP, and not with SMB. A firewall that blocks port 445 or 5445 can also cause this issue.
[Event ID 31010]
The SMB client failed to connect to the share.Error: {Access Denied}
A process has requested access to an object, but has not been granted those access rights.
Path: \fe80::e0a9:e45:5b2b:f594%25\454b7f2d-4e6c-4332-ae29-5e4befc5ce5b-135266304$
So what am I missing? Is it something to do with SMB Signing trying to verify an identity, and CSVs are using SMB across the Live Migration network, 10.20.30.2, but these errors are showing IPv6 address as a server name?