Xen Orchestra cannot connect to XCP-ng Host

darabontors

Dear community,

I have a strange connection problem. I have the following situation:
I need to install XCP-ng with DHCP assigned IP address so that I can connect it to my Xen Orchestra. I can connect to the host with this DHCP IP address. After I finish setting up my XCP-ng from Xen Orchestra, I need to give the host a new IP for management. A static IP, on a VLAN network.

After the IP change, I could connect to the host with this new IP. After moving the host to a different location, suddenly there is an unspecified connection error while connecting to the host. This problem is only between Xen Orchestra and the host. I can connect with XCP-ng Center to the host, no problem. All networking works as should.

I mention that when I changed the IP of the host, I also changed the root password.

I suspect it is a certificate issue. It is the self signed certificate that XCP-ng generated during installation.

The host is not exposed to the public internet. I use a VPN to connect it to Xen Orchestra.

I'm using Xen Orchestra from the sources.

Please help me fix this issue. This is a remote host and I already reinstalled XCP-ng, but the issue came back.

Danp

Did you set the proxy address for the new IP under Settings > Servers?

darabontors

@anp Thanks for responding.
I dont't use a HTTP proxy. I do have ping from Xen Orchestra to the host and from the host to the Xen Orchestra.

I did get this error message in the logs:

server.enable
{
"id": "XXXXXXXXXXXXX"
}
{
"originalUrl": "https://X.X.X.X/jsonrpc",
"url": "https://X.X.X.X/jsonrpc",
"call": {
"method": "session.login_with_password",
"params": "* obfuscated *"
},
"message": "408 Request Timeout",
"name": "Error",
"stack": "Error: 408 Request Timeout
at Object.assertSuccess (/opt/xen-orchestra/node_modules/http-request-plus/index.js:162:19)
at httpRequestPlus (/opt/xen-orchestra/node_modules/http-request-plus/index.js:217:22)
at file:///opt/xen-orchestra/packages/xen-api/transports/json-rpc.mjs:13:17"
}

I can connect via XCP-ng Center to the host, no problem. It's just Xen Orchestra that can't connect.

Danp

It makes sense to me that it works with software running on your local workstation that is configured to use the VPN.

Is XO running as a VM on a different host? If so, how does it know to use the VPN?

darabontors

@anp
The is WireGuard site to site VPN set up. If ping works from inside the VM hosting Xen Orchestra how can Xen Orchestra have no access?

I am almost sure it is a certificate issue of some kind. I would like to generate a new certificate or somehow make Xen Orchestra ignore the certificate. I think XCP-ng Center ignores it by default, that is why it works from XCP-ng Center.

What do you thing?

Danp

Are you using the Unauthorized Certificates option on the Servers tab?

darabontors

Yes.

Danp

Make sure your XO is up-to-date. You could also test using XOA to see if the problem also exists there.

darabontors

I found the problem.
I am using OPNsense and forgot to disable TX checksum offloading. Very interesting that this checksum offloading caused catastrophic network disruptions on a Realtek nic, but no noticeable performance hit on Intel nics. This was an old host that featured a Realtek card. All my recent hosts that I use have only Intel nics. That is why I forgot about the whole offloading thing.

Thanks for the tips.

Best wishes to the whole community!